ssl - How can I generate a self-signed certificate with SubjectAltName using OpenSSL? -


i trying generate self-signed certificate openssl subjectaltname in it.while generating csr certificate, guess have use v3 extensions of openssl x509. using :

openssl req -new -x509 -v3 -key private.key -out certificate.pem -days 730

can me exact syntax?

can me exact syntax?

its 3 step process, , involves modifying openssl.cnf file. might able command line options, don't way.

find openssl.cnf file. located in /usr/lib/ssl/openssl.cnf:

$ find /usr/lib -name openssl.cnf /usr/lib/openssl.cnf /usr/lib/openssh/openssl.cnf /usr/lib/ssl/openssl.cnf 

on debian system, /usr/lib/ssl/openssl.cnf used built-in openssl program. on recent debian systems located @ /etc/ssl/openssl.cnf

you can determine openssl.cnf being used adding spurious xxx file , see if openssl chokes.


first, modify req parameters. add alternate_names section openssl.cnf names want use. there no existing alternate_names sections, not matter add it.

[ alternate_names ]  dns.1        = example.com dns.2        = www.example.com dns.3        = mail.example.com dns.4        = ftp.example.com 

next, add following existing [ v3_ca ] section. search exact string [ v3_ca ]:

subjectaltname      = @alternate_names 

you might change keyusage following under [ v3_ca ]:

keyusage = digitalsignature, keyencipherment 

digitalsignature , keyencipherment standard faire server certificate. don't worry nonrepudiation. useless bit thought comp sci guys wanted lawyers. means nothing in legal world.

in end, ietf (rfc 5280), browsers , cas run fast , loose, not matter key usage provide.


second, modify signing parameters. find line under ca_default section:

# extension copying option: use caution. # copy_extensions = copy 

and change to:

# extension copying option: use caution. copy_extensions = copy 

this ensures sans copied certificate. other ways copy dns names broken.


third, generate self-signed:

$ openssl genrsa -out private.key 3072 $ openssl req -new -x509 -key private.key -sha256 -out certificate.pem -days 730 asked enter information incorporated certificate request. enter called distinguished name or dn. ... 

finally, examine certificate:

$ openssl x509 -in certificate.pem -text -noout certificate:     data:         version: 3 (0x2)         serial number: 9647297427330319047 (0x85e215e5869042c7)     signature algorithm: sha256withrsaencryption         issuer: c=us, st=md, l=baltimore, o=test ca, limited, cn=test ca/emailaddress=test@example.com         validity             not before: feb  1 05:23:05 2014 gmt             not after : feb  1 05:23:05 2016 gmt         subject: c=us, st=md, l=baltimore, o=test ca, limited, cn=test ca/emailaddress=test@example.com         subject public key info:             public key algorithm: rsaencryption                 public-key: (3072 bit)                 modulus:                     00:e2:e9:0e:9a:b8:52:d4:91:cf:ed:33:53:8e:35:                     ...                     d6:7d:ed:67:44:c3:65:38:5d:6c:94:e5:98:ab:8c:                     72:1c:45:92:2c:88:a9:be:0b:f9                 exponent: 65537 (0x10001)         x509v3 extensions:             x509v3 subject key identifier:                  34:66:39:7c:ec:8b:70:80:9e:6f:95:89:db:b5:b9:b8:d8:f8:af:a4             x509v3 authority key identifier:                  keyid:34:66:39:7c:ec:8b:70:80:9e:6f:95:89:db:b5:b9:b8:d8:f8:af:a4              x509v3 basic constraints: critical                 ca:false             x509v3 key usage:                  digital signature, non repudiation, key encipherment, certificate sign             x509v3 subject alternative name:                  dns:example.com, dns:www.example.com, dns:mail.example.com, dns:ftp.example.com     signature algorithm: sha256withrsaencryption          3b:28:fc:e3:b5:43:5a:d2:a0:b8:01:9b:fa:26:47:8e:5c:b7:          ...          71:21:b9:1f:fa:30:19:8b:be:d2:19:5a:84:6c:81:82:95:ef:          8b:0a:bd:65:03:d1 

Comments

Popular posts from this blog

php - regexp cyrillic filename not matches -

c# - OpenXML hanging while writing elements -

sql - Select Query has unexpected multiple records (MS Access) -