I've battled with this little nugget myself ... what a PITA!
My solution: I moved the all of openssl.cnf file into a Template Toolkit file leaving only the sans piece as the replacement piece, then wrapped a perl script around it.
The perl script prompts for the SANs entries, then inserts them into the template, saves the template to a temp file and then I call openssl req with the -config option pointed at the temp file. discard the temp file after the CSR is generated.
You also might want to look at: http://www.openssl.org/docs/apps/config.html
There are others who override $ENV just prior to execution and wrap the call to openssl req in perl or shell and accomplish the same thing in a slightly more efficient manner: http://blog.loftninjas.org/2008/11/11/configuring-ssl-requests-with-subjectaltname-with-openssl/
No need to use any GUI wrappers to the OpenSSL really, they never include all the options and add no value to the library. Nothing wrong with firing up the OpenSSL console, hitting ?
to list all the commands and finding clarification on-line for those that you might need, IMHO. ;)
First thing to do is to make sure you have a valid openssl.cnf
file in your openssl installation folder. If you're missing this file, then you can download it from here. Place this file in your openssl path and set the required environment variable to point to it:
set OPENSSL_CONF=[path & file name of your openssl.cnf file]
You will also need an additional config file with your domain controllers listed. Simplest is to just echo your list in a new file:
echo subjectAltName=DNS:dc1.example.com,DNS:dc2.example.com,DNS:dc3.example.com > example.com.cnf
Or you could create a new config file with a notepad, whatever. It will only require this single line in it:
subjectAltName=DNS:dc1.example.com,DNS:dc2.example.com,DNS:dc3.example.com
Then start the openssl console (openssl.exe) and create your self-signed certificate using these two configuration files (the openssl.cnf
will load with the req
command automatically from the environment variable OPENSSL_CONF
we set previously):
genrsa -out example.com.key 1024
req -new -key example.com.key -out example.com.csr
Enter all the required data as it asks you to. You might want to skip entering the password phrase (A challenge password []
) if this certificate will be used on a web server, not to require entering it each time you restart it. In which case just leave that field blank.
We're nearly done. Now we only need to generate our certificate and pass it the other configuration file to include our DNS aliases (or in your case all three domain controllers):
x509 -req -days 365 -in example.com.csr -signkey example.com.key -text -extfile example.com.cnf -out example.com.crt
That's it. You should have your new example.com.crt
, example.com.key
and example.com.csr
files ready to go in your openssl folder, and updated with the additional configuration that we set. You can check your certificate that it includes our DNS names (notepad will do, these values are in clear text).
Obviously, you could change these values to reflect your needs and this is only an example, using your own example values. If you don't want to fire up the OpenSSL console, then you can run all these commands from the system console just as well, preceding any command with a call to OpenSSL.exe with openssl
. That's exactly equal to having OpenSSL console open.
Hope that's what you wanted to do, don't hesitate to ask for clarification in the comments,
Cheers!
Best Answer
The error implies you have a typo and missed a
d
out of the command when you entered it the first time (-adext
!=-addext
).If you take exactly what you've shown in the question and just remove all the
{}
so it usesdomain-name.com
as the domain, it fails becauseL=
needs a value, but if you add in a value it then works just fine:p.s. you also have an extra
.com
on the end