11

Can any one tell me how I an add a number of Subject Alternate Names to an existing CSR?

I'm not talking about generating a CSR with SANs or adding SANs at signing time - I know how to do both of these things.

Background: The problem we have is that HP blade chassis, allow you to generate CSRs, but they only allow a single SAN. We can't use a CSR generated elsewhere as we could not use the resultant cert as there is no way (that I can find) to upload the key to the blade chassis.

Our CA's standard process does not allow for adding SANs are signing time. They are willing to experiment, however I am trying to find a solution at our end as this will mean we won't have to rely on them having a non standard process for us - in my experience if they need to use a non standard process life will eventually get difficult. E.g. when a staff member who knows the non standard process is not present due to leave etc.

Current method is to connect to the bladechassis onboard admin via the web gui and generate the CSR with a single CN.

The web gui only allows for a single SAN in the CSR.

Then we self sign it with the following stanza in the openssl config:

[ v3_ca ]
subjectAltName = "DNS:bladesystem8,DNS:bladesystem8.services.adelaide.edu.au,DNS:bladesystem8-backup,DNS:bladesystem8-backup.services.adelaide.edu.au"

The resultant cert has the extra SANs.

Chris Woods
  • 388
  • 3
  • 21
Jason Tan
  • 2,742
  • 2
  • 17
  • 24
  • How are you generating the certs on the blade chassis currently? What method are you using to connect etc.. what model blade chassis? – Eli Mar 31 '11 at 04:20
  • Chassis is a c7000. Yeah we are currently creating CSRs on the chassis and adding the SAN at sign time, but that is for self signed certs. – Jason Tan Mar 31 '11 at 04:25
  • What method are you using to connect to it currently and what is your process for generating certs for it? – Eli Mar 31 '11 at 04:26
  • I've edited the main question to include the current method. – Jason Tan Mar 31 '11 at 05:06
  • As far as I know it is not possible to download the key. I'm happy to pay the bounty to anyone who can tell me how to download a key from a HPc7000 and Virtual Connect Manager, in such a manner that it is possibly to use the key to generate a CSR and then use the resultant cert after the CSR is signed on the c7000 and VC module. – Jason Tan Apr 11 '11 at 00:51
  • 1
    Can you import the Cert & Private Key if you generate it on another machine and export it? – Clint Apr 12 '11 at 23:16

3 Answers3

16

If your chassis doesn't support adding SANs, you'll need to get the key off the chassis and generate the CSR with openssl.

Make sure req_extensions = v3_req is uncommented in the [ req ] section.

Add the subjectAltName to the [ v3_req ] section.

Generate a new CSR.

openssl req -new -key extracted_c7000.key -out your_new.csr

You cannot edit an existing CSR.

Cakemox
  • 24,141
  • 6
  • 41
  • 67
  • 1
    What cakemox said. If you could edit a certificate (that is, a signed CSR) after it had been signed, it would defeat the whole purpose of certificating authorities. – MadHatter Apr 08 '11 at 10:01
  • 1
    I don't want to edit the CSR after it is signed - that would as you say defeat the puprose. I want to edit the CSR after it is generated, but BEFORE it is signed. It is definately possible to edit parts of a CSR before signing using openssl. – Jason Tan Apr 11 '11 at 00:46
  • If I could download the key, I would. Sorry I didn't mention that in the original question, but I have not been able to find away to download the key. I'd be just as happy to pay the bounty to someone who could tell me how to download the key. – Jason Tan Apr 11 '11 at 00:48
  • 1
    FYI - It is definately possible to edit parts of a CSR before signing using openssl in particular the "openssl req -subj" option. This won't however as far as I can tell add the v3 SAN extension, it will just allow you to specify a new subject line including additional CNs. – Jason Tan Apr 11 '11 at 00:56
  • 2
    The CSR is signed by the private key of the machine, so you can't edit it after it's been generated (or else it would fail to be signed anymore). It is possible that the CA edits the fields put in the public cert however; this is the only way to change the SAN field (which you have no control over if you're sending this to a public CA). – Chris S Apr 14 '11 at 12:54
2

While cakemox's answer is definitely the easiest if you can somehow get a copy of the private key, there's another way if you can't by basically re-signing the CSR using an "Enrollment Agent" certificate.

This blog post has all of the nitty gritty details. But the high level overview of the process looks like this:

  • Acquire an Enrollment Agent Certificate
  • Modify an SSL certificate template to require an EA certificate for issuance
  • Acquire a CSR that needs SAN Information
  • Use the EA certificate to resign the CSR while adding the SAN information

When I tried this personally, I'm pretty sure I skipped the part about modifying the certificate template. Presuming you can generate an Enrollment Agent cert for yourself, the actual process looks something like this.

Create a san.inf with the SAN extension info in it

[Extensions]
2.5.29.17="{text}dns=mysan1.example&dns=mysan2.example"

Re-sign the request

certreq -policy -config "myca.example\CA" orig-request.csr san.inf corrected-request.csr

Submit the corrected request

certreq -submit -config "myca.example\CA" -attrib "CertificateTemplate:MyTemplate" corrected-request.csr

And then proceed as normal with the issuance process.

Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59
  • The seems like the real answer to the OP question. It does work, although it also says "Searching for private key..." on the -policy command and pops up some extra garbage, but hitting cancel works. Is there a way to do this in openssl/not windows without @Cakemox's blow it away method? – Andy May 06 '22 at 21:33
  • It seems like there should be a way to do it with openssl, but I have no clue how. – Ryan Bolger May 09 '22 at 05:30
0

Important note: All of this is somewhat speculative, so if you're deep in the code and it doesn't agree with what I'm saying, believe the code. I'm not a CA expert, I just play one on TV. That said:

As a feature of CSRs, it'll be tough. The final step in generating a CSR programmatically is to hash everything you've created, and then sign it with the private key. So, while you could add those attributes to the text of the CSR, the the signature wouldn't match up with the contents, so no CA would sign it.

In your case, though, you control (or are at least in contact with) the CA. This gives you two options:

  1. You can instruct the CA to blithely ignore the signature on the CSR and to issue a cert anyway.
  2. You can have the CA issue a different cert than what is requested (e.g. by adding attributes).

Of these, #1 seems by far the easiest. You'll need to break the tamper-evident seal on OpenSSL to get it to do this, but it has some functions that should make quite a bit easier. I'd start with asn1parse, which will show you how to break apart the CSR.

BMDan
  • 7,129
  • 2
  • 22
  • 34
  • On further research, option #2 is actually quite simple, too, and done by a number of CA's (e.g. to add `site.com` to a `www.site.com` cert as a SAN). – BMDan May 24 '11 at 01:36