Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge -addext option from upstream #544

Closed
Ypnose opened this issue Jul 30, 2019 · 7 comments
Closed

Merge -addext option from upstream #544

Ypnose opened this issue Jul 30, 2019 · 7 comments
Labels
enhancement

Comments

@Ypnose
Copy link

Ypnose commented Jul 30, 2019
edited
Loading

OpenSSL binary OpenSSL 1.1.1 11 Sep 2018 now supports -addext ext option, useful to provide a specific extension, like SAN.
https://www.openssl.org/docs/man1.1.1/man1/req.html

OpenSSL binary from LibreSSL LibreSSL 2.9.2 doesn't support it, so it is kinda inconvenient to generate CSR, where LibreSSL is used (OpenBSD, Linux distributions migrated to LibreSSL).

Here the command I used to test :

openssl req -sha256 -new -newkey rsa:4096 -nodes -addext "subjectAltName = DNS:foo.co.uk" -keyout pkey.pem -out csr.pem

Here the related discussion :
openssl/openssl#3311

Could it possible to merge upstream change to LibreSSL ?
@Ypnose Ypnose changed the title Merge -addext ext from upstream Merge -addext option from upstream Jul 30, 2019
@Ypnose
Copy link
Author

Ypnose commented Sep 24, 2019

Hi,
Any update on this ?

@otto-dev
Copy link

Can't use libressl without this because of subjectAltNames

@kinichiro
Copy link
Contributor

Here is temporary workaround to put subjectAltName without -addext option.

#!/usr/local/bin/bash

openssl req -newkey rsa:2048 -days 365 -nodes -x509 \
    -subj "/C=/ST=/L=/O=/OU=/CN=*.foo.co.uk" \
    -extensions SAN \
    -config <(cat /etc/ssl/openssl.cnf \
            <(printf "[SAN]\nsubjectAltName='DNS:foo.co.uk'")) \
    -keyout pkey.pem -out csr.pem

@kinichiro
Copy link
Contributor

-addext option was added in upstreram libressl/openbsd@6d41544

@ip75
Copy link

ip75 commented Dec 19, 2019
edited
Loading

Here is temporary workaround to put subjectAltName without -addext option.

#!/usr/local/bin/bash

openssl req -newkey rsa:2048 -days 365 -nodes -x509 \
    -subj "/C=/ST=/L=/O=/OU=/CN=*.foo.co.uk" \
    -extensions SAN \
    -config <(cat /etc/ssl/openssl.cnf \
            <(printf "[SAN]\nsubjectAltName='DNS:foo.co.uk'")) \
    -keyout pkey.pem -out csr.pem

-extensions is not work with req command. libressl-3.0.2
I can not set subjectAltNames to certificate

@4a6f656c
Copy link
Contributor

4a6f656c commented Jan 1, 2020

@ip75 works for me...

$ openssl version
LibreSSL 3.0.2
$openssl req -newkey rsa:2048 -days 365 -nodes -x509 \
    -subj "/C=/ST=/L=/O=/OU=/CN=*.foo.co.uk" \
    -extensions SAN \
    -config <(cat /etc/ssl/openssl.cnf \
            <(printf "[SAN]\nsubjectAltName='DNS:foo.co.uk'")) \
    -keyout pkey.pem -out csr.pem
$ openssl x509 -text -in csr.pem | grep DNS: -B2
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:foo.co.uk

@4a6f656c
Copy link
Contributor

4a6f656c commented Jan 1, 2020

Closing since this will be available in the next release.

@4a6f656c 4a6f656c closed this as completed Jan 1, 2020
@Ypnose Ypnose mentioned this issue Apr 17, 2020
Closed
@yhirose yhirose mentioned this issue Nov 2, 2020
Merged
@clushie clushie mentioned this issue Jul 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Ypnose @ip75 @kinichiro @4a6f656c @otto-dev