Comments for OpenSSL CSR with Alternative Names one-line #1048
Comments
Thanks, Lele. Great to have a single command for that. One thing I'm curious about: I believe the RFCs state that if you use a Subject Alternative Name, you should supply all names as SANs, and the CN can be ignored by clients. If I understand correctly, that means you should list e.g. www.endpoint.com as the CN, and both www.endpoint.com and bare endpoint.com as SANs. Can you confirm or deny that? |
After some investigation I finally found a proper answer. As can be read here, it seems that "some browsers" (yes, IE) may refer to this RFC strictly enough that if they found a SAN field they won't consider the CN field and only use the domains found in the SANs. While the original "older" RFC didn't specifically endorsed nor encouraged that behavior, with the new RFC there was more confusion on how to read that part so some browser went that way. The final answer is: since it's never a problem to have one domain in both fields (CN and SAN) but it can be a problem to have the main domain only in the CN when using SANs, it's better to have all domains present in both fields. Since the CN only supports one domain, it's common practice to put the main domain there, and then repeat it in the SAN field along with all the additional ones. |
This does not correctly generate the x509 certificate with the v3 extensions required for proper compliance with the RFC spec. This can be verified by generating a certificate and then doing an 'openssl req -in yourfile.csr -noout -text' and looking for the v3 information. I'm still interested in finding a one-liner, but so far I've had to build a openssl.cnf according to this other blog post and passed it in. http://apetec.com/support/GenerateSAN-CSR.htm |
@Deikensentsu That's true. Anyway I found that most certificate authorities are happy with the CSR generate that way and will create a certificate securing the right domains (NameCheap, GoDaddy, GeoTrust, ecc..) Anyway thanks for your input, I'll add a line in the post text. Have a great day. |
Hi , your command is not working for me, it giving me error like below Error opening Private Key endpoint.com.key
-----BEGIN CERTIFICATE REQUEST----- on decoding above csr its giving me like below Email: a@gmail.com/subjectAltName=DNS.1=endpoint.com Please suggest |
@sushil_rangari this post assumed readers to have a solid grasp of certificate creation/management basics. Before jumping on SANs you should probably practice more on basic certificates. |
Hello Emanuele, Thanks for replying back. Yes i do have some basic knowledge of Certificate Generations. I replaced the contents of the your command as my need, but the desired CSR was not generated which i wanted. like specially for SAN I have added www.domain.com as CN and under subjectAltName=DNS.1=domain.com but the got SAN under email section Email:name@gmail.com/subjectAltName=DNS.1=domain.com am I doing some thing wrong ? do I need to made changes in openssl conf file as well ? Please suggest .it will be helpful Thanks |
@sushil_rangari it seems that something could have been wrong in the command you used to generate the certificate. In order to be of any help I'd nee to see the steps you took to create the certificate. Please create a pastebin and I'll be happy to take a look and try to help. |
Hello Emanuele, here is the commands which I am running
Please suggests. Thanks |
In my previous command I missed DNS.1= but after adding the result are same [root@master ~]# openssl req -new -sha256 -nodes -subj '/C=US/ST=New York/L=New York/O=IT/OU=Hosting Team/CN=www.domain.com/emailAddress=sushil.rangari84@gmail.com/subjectAltName=DNS.1=domain.com' > www.domain.com.csr
|
Hi Sushil Rangari, Thank you. |
Hi, I was wondering how one could use this format and also use a challenge phrase. When I use the syntax given it does not prompt for any further information. Putting /challengePassword=.../ doesn't seem to work. |
Hi Lele, FYI your one liner didn't seem to add the subjectAltName to my CSR when I ran it thru a CSR decoder. But this one-liner did: openssl req -new -sha256 -key domain.key -subj "/C=US/ST=CA/O=Acme, Inc./CN=example.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) -out domain.csr Cheers, Andrew | Western Sydney Uni |
I just developed a web based tool that will generate this command for you and display the output. http://kernelmanic.com/certificate-request-generator-with-multiple-common-names-and-subject-alternative-names/ |
I've updated my web based OpenSSL tool to automatically generate this command. https://certificatetools.com/ |
Thanks - this post is really helpful. I would say though that using "New York" as an example in the openssl command itself is very confusing - I can't tell the difference between the different fields. Perhaps it should be changed to something else? |
Please update your post or delete it. |
Hi, openssl req -config openssl.cnf -new -key ./private/radagast8.key -sha256 -nodes -out radagast9.csr -subj '/C=US/ST=Georgia/L=Dulut/O=Ericsson/OU=SV/CN=mdms-settings/ But I get an error with Subject Attribute What did I do wrong ? |
I finally found some time to answer all the questions, doubts, hints and concerns above. Thank you all for your hints, ideas and comments. |
How about just... ./generateCSR.sh US 'New York' Rochester 'End Point' 'Testing Domain' your-administrative-address@your-awesome-existing-domain.com your-new-domain.com and if you want to make the argument handling flexible see http://wiki.bash-hackers.org/howto/getopts_tutorial You may not want the argument defaults that I've set in generateCSR.sh but instead make at least some arguments required And for the generateCSR.sh... #!/bin/sh CSR_DETAILS=$(mktemp) cat > ${CSR_DETAILS} <<-EOF [ dn ] [ req_ext ] [ alt_names ] export COUNTRY=${1:-US} Let's call openssl now by piping the newly created file inopenssl req -new -sha256 -nodes -out *.${DOMAIN}.csr -newkey rsa:2048 -keyout *.${DOMAIN}.key -config ${CSR_DETAILS} rm ${CSR_DETAILS} |
Hello, I have a stupid but basic question about SAN certificates. Can I use under "alt_names" DNS names of different servers and different domains? for example: And use generated SAN certificate on all included servers? BR/ Vaibhav |
Hi vaibhav zirmite, Hi Phillip Odam, |
Hi Emanuele No problem, thanks for your write up as it helped with my automating a self-signed root, intermediate, leaf certificate generation. Phillip |
Thanks for this! |
The code is probably incorrect - it always fails to find distinguished name if not put as the first entry under [req] |
Thanks for the useful article. Definitely a time saver. |
why not just -config csr_details.txt ? |
|
In the command line that inputs the csr details file, you use -sha256. However, you also use |
Comments for https://www.endpointdev.com/blog/2014/10/openssl-csr-with-alternative-names-one/
By Emanuele “Lele” Calò
To enter a comment:
The text was updated successfully, but these errors were encountered: