OpenSSL SAN Certs

 

 

 

 

 

 

Command is run with adding -config and giving this file. The normal openssl.cnf is not overriden in full i think.

Other options you want ... rsa:4096 and -sha256 to sign with sha256 (cannot use with older clients, etc. etc.)

 

 

A cert-specific openssl.cnf, name it "my-san-cert-openssl.cnf" so it gets sorted along with my-san-cert.csr, etc.

 

 

SAN openssl.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
# Do NOT change these.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization
organizationalUnitName  = Organizational Unit Name (eg, section)
commonName = Common Name
emailAddress = Email (optional)

# Instead change these, and those should be the most common + required ones 
# all but OU and Email = req
countryName_default = Change_this
stateOrProvinceName_default = Change_this
localityName_default = Change_this
organizationName_default = Change_this
organizationalUnitName_default = Change_this
# the CN goes here. 
# Some people say it should be the machine name, or rather a user-friendly, descriptive text. 
# not the fqdn. I'm fighting with curl over that. Use FQDN if you wanna be safe.
commonName_default = CN
emailAddress_default = mail_for_ca_requesting_team
commonName_max  = 64

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = fqdn
DNS.2 = i'm inclined to say the short machine name should also go here
DNS.3 = other 
DNS.4 = fqdns...
IP.1 = any ip it needs if it needs

 

To check, you can use the following command:

$ openssl req -text -noout -verify -in my-san-cert.csr | grep -A2 "X509v3 Subject"
verify OK
            X509v3 Subject Alternative Name: 
                DNS:FQDN IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption

To do the same remotely, you can use the same with the client mode:

$ openssl s_client -connect fqdn:443 | grep -A2 "X509v3 Subject"

(Nope, doesn't work)

I use this to get the info:

https://github.com/azet/tls_tools

 

Hints:

If you template this and want to automatically run the openssl command, you need to pipe the right number of line breaks to it.

Wow, it seems to be also possible to define an ALTNAMES variable: 

http://www.crsr.net/Notes/SSL.html (very end of page)