7

So I have been able to create a Certificate Signing Request with a Subject Alternative Name of the form subjectAltName=IP:1.2.3.4 by following the recipe in a previous (splendid) answer.

When I inspect that CSR with openssl req -in key.csr -text I can see a corresponding section:

Requested Extensions:
  X509v3 Subject Alternative Name: 
    IP Address:1.2.3.4

I then proceed to signing the CSR with a self-signed key like so:

openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial \
  -in key.csr -out key.crt

The resulting certificate (when inspected with openssl x509 -in key.crt -text) does not identify that section any more.

Is this just an artifact of display parameters or need I also instruct openssl x509 that it should include the extension when doing its signing (and if so, how)?

I am using OpenSSL on macOS High Sierra (openssl version reports LibreSSL 2.2.7) and have not changed its configuration from the defaults. The keys will ultimately be used between Debian (Stretch) servers, so I could perform key generation there, if it helps in this context.

Drux
  • 371
  • 1
  • 2
  • 10
  • 1
    [This other answer on that same Q](https://security.stackexchange.com/a/159537/39571) already has your solution, except without the unnecessary copying of the config file which `req -x509` ignores. Plus my link to https://security.stackexchange.com/q/150078 which explains your problem. – dave_thompson_085 Aug 04 '18 at 03:40

2 Answers2

12

The following command apparently resolves the issue:

openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial \
  -extensions SAN \
  -extfile <(cat /etc/ssl/openssl.cnf \
    <(printf "\n[SAN]\nsubjectAltName=IP:1.2.3.4")) \
  -in key.csr -out key.crt

It is the same recipe as for openssl req, but with the two parameters extensions and extfile instead of reqexts and config.

This command was helpful for quickly confirming the desired outcome by printing the relevant section:

openssl x509 -in key.crt -text | grep "Subject Alternative Name" -C 1
Drux
  • 371
  • 1
  • 2
  • 10
  • Well done! Thanks also for sharing your solution. -- Finally: It's well and proper to click the checkmark/accept button on your own answer. (I suggest you do that so that so that the question will then no longer be listed in the "unanswered" section.) – StackzOfZtuff Aug 03 '18 at 11:27
  • @StackzOfZtuff Thx but there is apparently a mandatory rule: "You can accept your own answer in 2 days." – Drux Aug 03 '18 at 12:19
  • those 2 days should have passed now, shouldn't they? – woodz Jun 18 '20 at 23:28
  • @woodz Yes, you are right. – Drux Jun 22 '20 at 08:30
-1

I managed to put the SAN in CSR and then sign it without losing them, by doing the following.

Find the openssl.cnf

In Ubuntu

/etc/ssl/openssl.cnf

CentOS

/etc/pki/tls/openssl.cnf

And uncomment the following under the [ CA_default ] section

copy_extensions = copy

Then you have to create some files (if you don't know where, try issuing the first cert, the error message will tell you where)

sudo mkdir /your/dedicated-ca/dir/newcerts
sudo touch /your/dedicated-ca/dir/serial
sudo echo 1000 > /etc/pki/CA/serial

If you want to have duplicate certs by subject sudo echo unique_subject = no >> /etc/pki/CA/index.txt.attr

Now try to issue a cert, but not using openssl x509, but openssl ca 

   sudo openssl ca -cert /your/ca/certfile.crt -keyfile /your/ca/certfile.key -in yourweb.csr -out yourweb.crt

Worked like a charm for me.

schroeder
  • 123,438
  • 55
  • 284
  • 319
nDCasT
  • 1