Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openssl req: Interactively specify subjectAltName (SAN) #3311

Closed
leonklingele opened this issue Apr 25, 2017 · 9 comments

Comments

Projects
None yet
7 participants
@leonklingele
Copy link

commented Apr 25, 2017

Firefox & Chrome now require the subjectAltName (SAN) X.509 extension for certificates.

Please provide a way to specify the SAN interactively (along the CN) when generating certs & reqs using the openssl command line tool (openssl req).

Currently one has to do some ugly trickery to generate a self-signed certificate:

openssl req -new -key private.key -sha256 -nodes -x509 -days 365 -out public.crt \
    -subj "/C=US/ST=CA/O=Acme, Inc./CN=example.com" \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /etc/ssl/openssl.cnf \
              <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com"))

EDIT:
By "interactively" I mean asking for the SAN when running openssl req (without a -subj):

$ openssl req ..
[ .. ]
Common Name (eg, fully qualified host name) []: mydomain.com
Subject Alternative Name (eg, list of host names) []: mydomain.com,www.mydomain.com
[ .. ]
@richsalz

This comment has been minimized.

Copy link
Contributor

commented Apr 26, 2017

A PR would help expedite this.

You can also use the $ENV construct in your config file and set the SAN field in the environment.

@tedescn

This comment has been minimized.

Copy link

commented May 5, 2017

My assumption is there are two separate requirements here:

  1. Copy the CN value to the default SAN DNS value, and
  2. Additionally capture a list of additional SANs, appending these to the default SAN.

If I've understood the requirement correctly? Is part 1. partially addressed by PR #341?

@SidShetye

This comment has been minimized.

Copy link

commented May 29, 2017

@richsalz the $ENV approach adds unnecessary complexity and also makes the scripts harder to be cross-platform. Plus it still requires even having a .conf file ...

@richsalz

This comment has been minimized.

Copy link
Contributor

commented May 29, 2017

Sure, it's sub-optimal. See the other part of my comment :)

@JamesTheAwesomeDude

This comment has been minimized.

Copy link

commented Nov 23, 2017

Is this "true"? https://certsimple.com/blog/openssl-csr-command

These guys say that I can use -subj '/CN=example.com/subjectAltName=DNS.1=example.com, DNS.2=www.example.com but I can't seem to get such syntax working on version 1.1.0g on Debian Stretch.

Or is there truly no way to attach a subjectAltName to a CSR without using a custom config file?

@levitte

This comment has been minimized.

Copy link
Member

commented Nov 24, 2017

@JamesTheAwesomeDude, I would say that's possible if the signing CA knows to pick out subjectAltName from the csr's subject and make an extension of it. I don't know any CA that does this, though...

@milosivanovic

This comment has been minimized.

Copy link

commented Nov 24, 2017

Yeah, it doesn't create the appropriate "Subject Alternative Name" field, it just adds it to the "Subject" field, which isn't where it should be.

@richsalz

This comment has been minimized.

Copy link
Contributor

commented Nov 24, 2017

Many commercial CA's add the CN field to the SAN extension, but not all. And as others pointed out, it is not added to the CSR.

levitte added a commit to levitte/openssl that referenced this issue Dec 27, 2017

Add 'openssl req' option to specify extension values on command line
The idea is to be able to add extension value lines directly on the
command line instead of through the config file, for example:

    openssl req -new -extension 'subjectAltName = DNS:dom.ain, DNS:oth.er' \
                     -extension 'certificatePolicies = 1.2.3.4'

Fixes openssl#3311

levitte added a commit to levitte/openssl that referenced this issue Dec 28, 2017

Add 'openssl req' option to specify extension values on command line
The idea is to be able to add extension value lines directly on the
command line instead of through the config file, for example:

    openssl req -new -extension 'subjectAltName = DNS:dom.ain, DNS:oth.er' \
                     -extension 'certificatePolicies = 1.2.3.4'

Fixes openssl#3311

Thank you Jacob Hoffman-Andrews for the inspiration

@levitte levitte closed this in bfa470a Dec 28, 2017

@JamesTheAwesomeDude

This comment has been minimized.

Copy link

commented Feb 20, 2018

Just wanted to say thanks so much for bfa470a and resolving this Issue

🎊🙌🎉

Looking forward intensely to its inclusion in Debian. This will make manual CSR generation so much less painful!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.