All geek questions in one place

Subject alternative name is not copied to the signed certificate

I use a self-signed CA certificate to sign other certificates. For some certificates, I need to specify alternative object names. I can specify them during the generation of the request ( openssl req ... ), and I see them in the .csr file. Then I sign it with a CA certificate using

 openssl x509 -req -extensions x509v3_config -days 365 -in ${name}.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ${name}.crt

and the following sections in the openssl.cnf file:

 [ x509 ] x509_extensions = x509v3_config [ x509v3_config ] copy_extensions = copy

but I do not see the SAN in the .crt file.

I know about solutions with the openssl ca ... command, but I don't have a valid [ca] section, and I don't want to copy / paste it without a deep understanding of what it does. So I hope there is another solution with the openssl x509 ... command.

+5
source share
2 answers

The copy_extensions directive copy_extensions understood only by the openssl ca command. Unable to copy extensions from CSR to certificate using openssl x509 .

Instead, you should specify the exact extensions you want as part of the openssl x509 using the same directives that you used for openssl req .

+6
source

Sorry, I can not comment (yet).

In addition to @frasertweedale:

I generated my certificate server with configuration file

 openssl req -new -out certificate.csr -key certificate_private_key.pem -sha256 -days 1825 -config certificate.conf

Then i did

Instead, you should specify the exact extensions you want as part of the OpenSSL x509 command using the same directives that you used for OpenSSL req.

with the following command (I used the same .conf file again):

 openssl x509 -req -in certificate.csr -CA ca-root-public-certificate.pem -CAkey ca-key.pem -CAcreateserial -out certificate_public.pem -sha256 -days 1825 -extfile certificate.conf -extensions v3_req
+1
source

Source: https://habr.com/ru/post/1237073/

More articles:


All Articles