2

I already know how to add Subject Alternative Names (SANs) to a Certificate Signing Request and I know it's possible to manually add once again to a certificate which is similar to add SAN to csr using OpenSSL like this:

openssl x509 -req -extfile < (printf "subjectAltName=IP:xxx" -days xxx -in xxx.csr -signkey xxx.key -out xxx.crt

Is there a way to achieve this with CLI?

The key is copy_extensions. I'll try it. And this link explains it: https://unix.stackexchange.com/a/372393

schroeder
  • 123,438
  • 55
  • 284
  • 319
Peter
  • 21
  • 3
  • 1
    Hello and welcome to Stack Exchange. Your question is about the use of a command line tool, not about information security. I therefore voted to migrate this question to [su], as you have better chances of getting an answer there. –  Sep 11 '19 at 09:18
  • Do you mean creating a CSR, or the 'signing' (really issuing) operation that _reads_ a CSR? For the former, dupe https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line . Also to be clear, you can use a config file other than openssl.cnf, so you can modify the config file without modifying openssl.cnf; does that meet your requirement? – dave_thompson_085 Sep 12 '19 at 04:37
  • @dave_thompson_085, thanks for your reply. I have already read that link. I think my question like this. https://mta.openssl.org/pipermail/openssl-users/2016-January/002764.html. – Peter Sep 12 '19 at 14:07
  • The Subject of this question, then, doesn't match your actual question (based on that openssl-users link) - you want to *sign* the CSR purely CLI, not *generate* the CSR purely CLI. – gowenfawr Sep 12 '19 at 14:30
  • That email is vague but is either about specifying SAN in the operation that issues the cert _from_ the CSR (such as the `x509 -req -signkey` you posted) _or_ copying SAN from CSR to cert, which is a different operation and covered by different Qs: see https://security.stackexchange.com/questions/150078/missing-x509-extensions-with-an-openssl-generated-certificate and maybe cross https://unix.stackexchange.com/questions/371997/creating-a-local-ssl-certificate . – dave_thompson_085 Sep 13 '19 at 01:59
  • @gowenfawr thanks, I realize that I didn't express it correctly.I'll edit it. – Peter Sep 17 '19 at 15:53
  • @dave_thompson_085 thanks for your reply. I' ll try to use the copy_extensions option. – Peter Sep 17 '19 at 16:06
  • Note `copy_extensions` only works with `ca` NOT with `x509 -req` and thus not easily for self-signed as you are currently doing with `-signkey` if that matters to you – dave_thompson_085 Sep 18 '19 at 08:29

1 Answers1

3

It is not possible to specify a SAN in OpenSSL solely at the command line*.

FWIW, I wrote a wrapper that allows you to do that by dynamically generating a temporary openssl.cnf behind the scenes for you: one_genkey

A script for creating Certificate Signing Requests from the CLI, hiding the OpenSSL config file complexity.

*Per dave_thompson_085's pointer to this answer, openssl 1.1.1 added an -addext option to req which will allow this. The sheer ingenuity of contortions provided in all the other answers on that page are a testament to how big a pain this has been for all time leading up to openssl 1.1.1, and all those systems (cough RHEL) still languishing with something other than the head branch.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198