Ubuntu – Self-signed cert with Subject Alternative Names


I'm attempting to create a self-signed cert with SANs using OpenSSL on Ubuntu 14.10. I have been about to successfully generate a CSR that includes the proper extensions.

When I generate the certificate using the CSR, the SAN information does not make it through.


[ ca ]
default_ca  = CA_default

[ CA_default ]
dir     = ./demoCA      # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
new_certs_dir   = $dir/newcerts     # default place for new certs.
certificate = $dir/cacert.pem   # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number must be commented out to leave a V1 CRL
crl     = $dir/crl.pem      # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE    = $dir/private/.rand    # private random number file
x509_extensions = v3_req        # The extentions to add to the cert
name_opt    = ca_default        # Subject Name options
cert_opt    = ca_default        # Certificate field options
copy_extensions = copy
default_days    = 365           # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md  = default       # use public key default MD
preserve    = no            # keep passed DN ordering
policy      = policy_match

[ policy_match ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional
default_bits        = 2048
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = usr_cert  # The extentions to add to the self signed cert
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = US
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = VA
localityName            = Locality Name (eg, city)
localityName_default            = Ashburn
organizationalUnitName      = Organizational Unit Name (eg, section)
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_max          = 64
emailAddress            = Email Address
emailAddress_max        = 64
emailAddress_default            = vincent@exmaple.com

[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20
unstructuredName        = An optional company name

[ usr_cert ]
nsComment           = "OpenSSL Generated Certificate"

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ v3_ca ]
basicConstraints = CA:true

[ crl_ext ]

IP.1 =

generate key:

openssl genrsa -out test.key 2048

generate csr:

openssl req -new -key test.key -out test.csr

verify csr:

openssl req -text -noout -in test.csr | grep "IP Address"
IP Address:

generate cert:

openssl x509 -req -in test.csr -signkey test.key -out test.pem

verify cert:

openssl x509 -text -noout -in test.pem | grep "IP Address"

Best Answer

From the openssl x509 docs, when using openssl x509 -req:

-extfile filename
  file containing certificate extensions to use. If not specified then no extensions are added to the certificate.

-extensions section
  the section to add certificate extensions from. If this option is not specified then the extensions should either be contained in the unnamed (default) section or the default section should contain a variable called "extensions" which contains the section to use. See the x509v3_config manual page for details of the extension section format.

Since your openssl x509 -req command is using neither the -extfile or -extensions options, and your openssl.cnf has an default/unnamed section which does not have an "extensions" variable, then your generated self-signed certificate will not have the extensions.

Given this, you might try:

$ openssl x509 -req -in test.csr -signkey test.key -out test.pem -extensions v3_ca

Note that you would only want to do the above after you have edited your openssl.cnf so that that v3_ca section looks like:

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

i.e. that you have added the subjectAltName variable to that section as well, just like you have in the v3_req section. Without that, your self-signed certificate would have extensions, but not the SANs you desire. (I've also copied the keyUsage extensions from v3_req as well, on the assumption that you want those in your issued cert as well.) You might be tempted to just re-use that v3_req section, instead of updating v3_ca -- but you don't want to do that. Why? Because v3_req says that the cert is not a CA:

[ v3_req ]
basicConstraints = CA:FALSE

And since you're generating a self-signed cert, that is probably not what you want, either.

Hope this helps!