ssl - How can I generate a self-signed certificate with SubjectAltName using OpenSSL? -
i trying generate self-signed certificate openssl subjectaltname in it.while generating csr certificate, guess have use v3 extensions of openssl x509. using :
openssl req -new -x509 -v3 -key private.key -out certificate.pem -days 730
can me exact syntax?
can me exact syntax?
its 3 step process, , involves modifying openssl.cnf
file. might able command line options, don't way.
find openssl.cnf
file. located in /usr/lib/ssl/openssl.cnf
:
$ find /usr/lib -name openssl.cnf /usr/lib/openssl.cnf /usr/lib/openssh/openssl.cnf /usr/lib/ssl/openssl.cnf
on debian system, /usr/lib/ssl/openssl.cnf
used built-in openssl
program. on recent debian systems located @ /etc/ssl/openssl.cnf
you can determine openssl.cnf
being used adding spurious xxx
file , see if openssl
chokes.
first, modify req
parameters. add alternate_names
section openssl.cnf
names want use. there no existing alternate_names
sections, not matter add it.
[ alternate_names ] dns.1 = example.com dns.2 = www.example.com dns.3 = mail.example.com dns.4 = ftp.example.com
next, add following existing [ v3_ca ]
section. search exact string [ v3_ca ]
:
subjectaltname = @alternate_names
you might change keyusage
following under [ v3_ca ]
:
keyusage = digitalsignature, keyencipherment
digitalsignature
, keyencipherment
standard faire server certificate. don't worry nonrepudiation
. useless bit thought comp sci guys wanted lawyers. means nothing in legal world.
in end, ietf (rfc 5280), browsers , cas run fast , loose, not matter key usage provide.
second, modify signing parameters. find line under ca_default
section:
# extension copying option: use caution. # copy_extensions = copy
and change to:
# extension copying option: use caution. copy_extensions = copy
this ensures sans copied certificate. other ways copy dns names broken.
third, generate self-signed:
$ openssl genrsa -out private.key 3072 $ openssl req -new -x509 -key private.key -sha256 -out certificate.pem -days 730 asked enter information incorporated certificate request. enter called distinguished name or dn. ...
finally, examine certificate:
$ openssl x509 -in certificate.pem -text -noout certificate: data: version: 3 (0x2) serial number: 9647297427330319047 (0x85e215e5869042c7) signature algorithm: sha256withrsaencryption issuer: c=us, st=md, l=baltimore, o=test ca, limited, cn=test ca/emailaddress=test@example.com validity not before: feb 1 05:23:05 2014 gmt not after : feb 1 05:23:05 2016 gmt subject: c=us, st=md, l=baltimore, o=test ca, limited, cn=test ca/emailaddress=test@example.com subject public key info: public key algorithm: rsaencryption public-key: (3072 bit) modulus: 00:e2:e9:0e:9a:b8:52:d4:91:cf:ed:33:53:8e:35: ... d6:7d:ed:67:44:c3:65:38:5d:6c:94:e5:98:ab:8c: 72:1c:45:92:2c:88:a9:be:0b:f9 exponent: 65537 (0x10001) x509v3 extensions: x509v3 subject key identifier: 34:66:39:7c:ec:8b:70:80:9e:6f:95:89:db:b5:b9:b8:d8:f8:af:a4 x509v3 authority key identifier: keyid:34:66:39:7c:ec:8b:70:80:9e:6f:95:89:db:b5:b9:b8:d8:f8:af:a4 x509v3 basic constraints: critical ca:false x509v3 key usage: digital signature, non repudiation, key encipherment, certificate sign x509v3 subject alternative name: dns:example.com, dns:www.example.com, dns:mail.example.com, dns:ftp.example.com signature algorithm: sha256withrsaencryption 3b:28:fc:e3:b5:43:5a:d2:a0:b8:01:9b:fa:26:47:8e:5c:b7: ... 71:21:b9:1f:fa:30:19:8b:be:d2:19:5a:84:6c:81:82:95:ef: 8b:0a:bd:65:03:d1
Comments
Post a Comment