So I have been able to create a Certificate Signing Request with a Subject Alternative Name of the form subjectAltName=IP:1.2.3.4
by following the recipe in a previous (splendid) answer.
When I inspect that CSR with openssl req -in key.csr -text
I can see a corresponding section:
Requested Extensions:
X509v3 Subject Alternative Name:
IP Address:1.2.3.4
I then proceed to signing the CSR with a self-signed key like so:
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial \
-in key.csr -out key.crt
The resulting certificate (when inspected with openssl x509 -in key.crt -text
) does not identify that section any more.
Is this just an artifact of display parameters or need I also instruct openssl x509
that it should include the extension when doing its signing (and if so, how)?
I am using OpenSSL on macOS High Sierra (openssl version
reports LibreSSL 2.2.7
) and have not changed its configuration from the defaults. The keys will ultimately be used between Debian (Stretch) servers, so I could perform key generation there, if it helps in this context.