3

I have been trying to create a self-signed certificate with subject alternative name; however, although the cretifcate was created successfully, SAN was not added to its details.

Here's the command I used to create singing request.

openssl req -newkey rsa:2048 -nodes -sha256 -keyout server.key -out server.csr -config openssl-san.cnf

And here's the content of the configuration file.

[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
req_extensions         = req_ext

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
stateOrProvinceName    = State or Province Name (full name)
localityName           = Locality Name (eg, city)
organizationName       = Organization Name (eg, company)
commonName             = Common Name (e.g. server FQDN or YOUR name)


Optionally, specify some defaults.


countryName_default           = **
stateOrProvinceName_default   = ****
localityName_default           = ****
0.organizationName_default     = ******
organizationalUnitName_default = **
emailAddress_default           = *********


[ req_ext ]
subjectAltName = @alt_names


[alt_names]
DNS.0   = localhost

Certificate details enter image description here

What am I doing wrong here?

Please note that I'm a software developer so creating certificates are not my typical thing

Scarnet
  • 131
  • 1
  • 4

1 Answers1

0

It's up to the signer how they populate the Subject and SAN fields of a certificate.

If you use openssl to sign the request, it will not copy any extensions from the request by default. From the man page of openssl req (openssl ca has a similar option):

-copy_extensions arg

Determines how X.509 extensions in certificate requests should be handled when -x509 is in use. If arg is none or this option is not present then extensions are ignored. If arg is copy or copyall then all extensions in the request are copied to the certificate.

The main use of this option is to allow a certificate request to supply values for certain extensions such as subjectAltName.

You have to be careful with that option as it will copy any extension in the request, which may not be what you want.

A minimal config (minimal.cnf) which will give you a self-signed with a SAN applied by the issuer is:

prompt             = no
distinguished_name = req_dn
x509_extensions = x509_ext

[ req_dn ]
commonName         = Example Web Service


[ x509_ext ]
subjectAltName = @alt_names


You may need the next line to stop Firefox complaining:


basicConstraints = critical; CA:TRUE


[alt_names]
DNS.1 = www.example.com
DNS.2 = example.com

Create the self-signed certificate with:

openssl req -x509 -new -newkey rsa:2048 -nodes -days 720 -keyout selfsigned.key -out selfsigned.cer -config minimal.cnf
garethTheRed
  • 5,429