Cant get the subjectALtName inot the root cert

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Cant get the subjectALtName inot the root cert

Robert Moskowitz
I guess I am making progress.  I am not getting SAN into the root cert.  
my cnf has in it:

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
prompt              = no
distinguished_name  = req_distinguished_name
string_mask         = utf8only
req_extensions      = req_ext

[ req_ext ]
#subjectAltName = email:$ENV::adminemail
#subjectAltName = email:[hidden email]
subjectAltName = IP:192.168.24.1

I tried all three above alternatives for SAN.  No SAN in the root cert
created with:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
       -new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.pem

Thanks for any insight.

This type of cnf worked for creating a CSR and with the copy option the
SAN made it into the cert.

thanks

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant get the subjectALtName inot the root cert

Jeffrey Walton-3
On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz <[hidden email]> wrote:

> I guess I am making progress.  I am not getting SAN into the root cert.  my
> cnf has in it:
>
> [ req ]
> # Options for the `req` tool (`man req`).
> default_bits        = 2048
> prompt              = no
> distinguished_name  = req_distinguished_name
> string_mask         = utf8only
> req_extensions      = req_ext
>
> [ req_ext ]
> #subjectAltName = email:$ENV::adminemail
> #subjectAltName = email:[hidden email]
> subjectAltName = IP:192.168.24.1
>
> I tried all three above alternatives for SAN.  No SAN in the root cert
> created with:
>
> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>       -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
>
> Thanks for any insight.
>
> This type of cnf worked for creating a CSR and with the copy option the SAN
> made it into the cert.

It looks a bit unusual for a Root CA.

As far as signing the CSR, you need

    copy_extensions = copy

Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cant get the subjectALtName inot the root cert

Robert Moskowitz


On 08/17/2017 06:38 PM, Jeffrey Walton wrote:

> On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz <[hidden email]> wrote:
>> I guess I am making progress.  I am not getting SAN into the root cert.  my
>> cnf has in it:
>>
>> [ req ]
>> # Options for the `req` tool (`man req`).
>> default_bits        = 2048
>> prompt              = no
>> distinguished_name  = req_distinguished_name
>> string_mask         = utf8only
>> req_extensions      = req_ext
>>
>> [ req_ext ]
>> #subjectAltName = email:$ENV::adminemail
>> #subjectAltName = email:[hidden email]
>> subjectAltName = IP:192.168.24.1
>>
>> I tried all three above alternatives for SAN.  No SAN in the root cert
>> created with:
>>
>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>        -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
>>
>> Thanks for any insight.
>>
>> This type of cnf worked for creating a CSR and with the copy option the SAN
>> made it into the cert.
> It looks a bit unusual for a Root CA.
>
> As far as signing the CSR, you need
>
>      copy_extensions = copy

I have that in the [ ca ] section and it did put SAN into the
intermediate CA cert.

But I can't seem to get it into the root CA cert.

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Solved - Re: Cant get the subjectALtName inot the root cert

Robert Moskowitz
In reply to this post by Jeffrey Walton-3
Kind of...

Does not put SAN in CA cert:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
       -new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.pem

Does put SAN in CA cert:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
       -new -sha256 -extensions v3_ca -out csr/ca.csr.pem

openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 -notext
-md sha256 \
       -in csr/ca.csr.pem -out certs/ca.cert.pem

Interesting that the single step does not work, but the 2 step doesn.

Do I need -extensions v3_ca in both commands?  Plus sha256 in both?
Could benefit from some refinement.  Or getting the 1 step working.

Good enough for now!

Bob


On 08/17/2017 06:38 PM, Jeffrey Walton wrote:

> On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz <[hidden email]> wrote:
>> I guess I am making progress.  I am not getting SAN into the root cert.  my
>> cnf has in it:
>>
>> [ req ]
>> # Options for the `req` tool (`man req`).
>> default_bits        = 2048
>> prompt              = no
>> distinguished_name  = req_distinguished_name
>> string_mask         = utf8only
>> req_extensions      = req_ext
>>
>> [ req_ext ]
>> #subjectAltName = email:$ENV::adminemail
>> #subjectAltName = email:[hidden email]
>> subjectAltName = IP:192.168.24.1
>>
>> I tried all three above alternatives for SAN.  No SAN in the root cert
>> created with:
>>
>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>        -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
>>
>> Thanks for any insight.
>>
>> This type of cnf worked for creating a CSR and with the copy option the SAN
>> made it into the cert.
> It looks a bit unusual for a Root CA.
>
> As far as signing the CSR, you need
>
>      copy_extensions = copy
>
> Jeff

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Solved - Re: Cant get the subjectALtName inot the root cert

Robert Moskowitz
NO does not work.  It worked because I had the old root CA cert there.  
Without it it fails.

I tried adding -selfsign and that did something, but did not create a
trusted cert...


On 08/17/2017 08:44 PM, Robert Moskowitz wrote:

> Kind of...
>
> Does not put SAN in CA cert:
>
> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>       -new -x509 -days 7300 -sha256 -extensions v3_ca -out
> certs/ca.cert.pem
>
> Does put SAN in CA cert:
>
> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>       -new -sha256 -extensions v3_ca -out csr/ca.csr.pem
>
> openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300
> -notext -md sha256 \
>       -in csr/ca.csr.pem -out certs/ca.cert.pem
>
> Interesting that the single step does not work, but the 2 step doesn.
>
> Do I need -extensions v3_ca in both commands?  Plus sha256 in both?
> Could benefit from some refinement.  Or getting the 1 step working.
>
> Good enough for now!
>
> Bob
>
>
> On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
>> On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz
>> <[hidden email]> wrote:
>>> I guess I am making progress.  I am not getting SAN into the root
>>> cert.  my
>>> cnf has in it:
>>>
>>> [ req ]
>>> # Options for the `req` tool (`man req`).
>>> default_bits        = 2048
>>> prompt              = no
>>> distinguished_name  = req_distinguished_name
>>> string_mask         = utf8only
>>> req_extensions      = req_ext
>>>
>>> [ req_ext ]
>>> #subjectAltName = email:$ENV::adminemail
>>> #subjectAltName = email:[hidden email]
>>> subjectAltName = IP:192.168.24.1
>>>
>>> I tried all three above alternatives for SAN.  No SAN in the root cert
>>> created with:
>>>
>>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>>        -new -x509 -days 7300 -sha256 -extensions v3_ca -out
>>> certs/ca.cert.pem
>>>
>>> Thanks for any insight.
>>>
>>> This type of cnf worked for creating a CSR and with the copy option
>>> the SAN
>>> made it into the cert.
>> It looks a bit unusual for a Root CA.
>>
>> As far as signing the CSR, you need
>>
>>      copy_extensions = copy
>>
>> Jeff
>

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Solved - Re: Cant get the subjectALtName inot the root cert

Robert Moskowitz
It IS working with -selfsign.  So this step is done.

openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 -notext
-md sha256 \
       -selfsign -in csr/ca.csr.pem -out certs/ca.cert.pem

openssl x509 -in certs/ca.cert.pem -text -noout
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
             87:b5:1d:03:12:a9:f3:fa
     Signature Algorithm: ecdsa-with-SHA256
         Issuer: C=US, ST=MI, O=HTT Consulting, CN=Root CA
         Validity
             Not Before: Aug 18 01:50:19 2017 GMT
             Not After : Aug 13 01:50:19 2037 GMT
         Subject: C=US, ST=MI, O=HTT Consulting, CN=Root CA
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
                 pub:
                     04:03:ee:4a:51:17:df:50:2b:bc:69:63:b5:03:90:
                     b5:ed:cf:d5:67:16:94:46:9c:ca:5b:1c:87:d0:81:
                     18:04:bf:5a:c0:00:4e:90:4b:fb:2e:17:1c:aa:42:
                     1e:9e:bd:be:ba:d7:f8:6c:55:24:b2:91:da:61:9c:
                     66:b4:03:a5:93
                 ASN1 OID: prime256v1
                 NIST CURVE: P-256
         X509v3 extensions:
             X509v3 Subject Key Identifier:
D5:09:1A:48:F2:D8:F8:30:46:26:38:78:C8:C2:C5:CD:01:A7:1D:57
             X509v3 Authority Key Identifier:
keyid:D5:09:1A:48:F2:D8:F8:30:46:26:38:78:C8:C2:C5:CD:01:A7:1D:57

             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
             X509v3 Subject Alternative Name:
                 email:[hidden email]
     Signature Algorithm: ecdsa-with-SHA256
          30:46:02:21:00:ed:b6:ea:93:b5:df:b2:30:fe:17:fc:a6:fa:
          0e:c1:08:82:9a:84:59:a9:a6:5c:50:23:66:72:c0:da:7a:18:
          5b:02:21:00:8b:f1:52:ea:dd:44:88:a6:ee:43:cd:29:52:e4:
          27:57:ee:52:a2:47:86:6f:9e:11:9d:7d:72:a5:08:82:8f:14



On 08/17/2017 09:23 PM, Robert Moskowitz wrote:

> NO does not work.  It worked because I had the old root CA cert
> there.  Without it it fails.
>
> I tried adding -selfsign and that did something, but did not create a
> trusted cert...
>
>
> On 08/17/2017 08:44 PM, Robert Moskowitz wrote:
>> Kind of...
>>
>> Does not put SAN in CA cert:
>>
>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>       -new -x509 -days 7300 -sha256 -extensions v3_ca -out
>> certs/ca.cert.pem
>>
>> Does put SAN in CA cert:
>>
>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>       -new -sha256 -extensions v3_ca -out csr/ca.csr.pem
>>
>> openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300
>> -notext -md sha256 \
>>       -in csr/ca.csr.pem -out certs/ca.cert.pem
>>
>> Interesting that the single step does not work, but the 2 step doesn.
>>
>> Do I need -extensions v3_ca in both commands?  Plus sha256 in both?
>> Could benefit from some refinement.  Or getting the 1 step working.
>>
>> Good enough for now!
>>
>> Bob
>>
>>
>> On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
>>> On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz
>>> <[hidden email]> wrote:
>>>> I guess I am making progress.  I am not getting SAN into the root
>>>> cert.  my
>>>> cnf has in it:
>>>>
>>>> [ req ]
>>>> # Options for the `req` tool (`man req`).
>>>> default_bits        = 2048
>>>> prompt              = no
>>>> distinguished_name  = req_distinguished_name
>>>> string_mask         = utf8only
>>>> req_extensions      = req_ext
>>>>
>>>> [ req_ext ]
>>>> #subjectAltName = email:$ENV::adminemail
>>>> #subjectAltName = email:[hidden email]
>>>> subjectAltName = IP:192.168.24.1
>>>>
>>>> I tried all three above alternatives for SAN.  No SAN in the root cert
>>>> created with:
>>>>
>>>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>>>        -new -x509 -days 7300 -sha256 -extensions v3_ca -out
>>>> certs/ca.cert.pem
>>>>
>>>> Thanks for any insight.
>>>>
>>>> This type of cnf worked for creating a CSR and with the copy option
>>>> the SAN
>>>> made it into the cert.
>>> It looks a bit unusual for a Root CA.
>>>
>>> As far as signing the CSR, you need
>>>
>>>      copy_extensions = copy
>>>
>>> Jeff
>>
>

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

FINAL simpler solution - Re: Solved - Re: Cant get the subjectALtName inot the root cert

Robert Moskowitz
I just had to ask Dr. Google the right question:

openssl subjectaltname in a selfsigned certificate

Afterall, a root cert is a selfsigned cert.

And I learned to put SAN in the [ v3_ca ] section, rather than the [ req
] section then all it takes is what I already had:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
       -new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.pem


On 08/17/2017 09:52 PM, Robert Moskowitz wrote:

> It IS working with -selfsign.  So this step is done.
>
> openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300
> -notext -md sha256 \
>       -selfsign -in csr/ca.csr.pem -out certs/ca.cert.pem
>
> openssl x509 -in certs/ca.cert.pem -text -noout
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             87:b5:1d:03:12:a9:f3:fa
>     Signature Algorithm: ecdsa-with-SHA256
>         Issuer: C=US, ST=MI, O=HTT Consulting, CN=Root CA
>         Validity
>             Not Before: Aug 18 01:50:19 2017 GMT
>             Not After : Aug 13 01:50:19 2037 GMT
>         Subject: C=US, ST=MI, O=HTT Consulting, CN=Root CA
>         Subject Public Key Info:
>             Public Key Algorithm: id-ecPublicKey
>                 Public-Key: (256 bit)
>                 pub:
>                     04:03:ee:4a:51:17:df:50:2b:bc:69:63:b5:03:90:
>                     b5:ed:cf:d5:67:16:94:46:9c:ca:5b:1c:87:d0:81:
>                     18:04:bf:5a:c0:00:4e:90:4b:fb:2e:17:1c:aa:42:
>                     1e:9e:bd:be:ba:d7:f8:6c:55:24:b2:91:da:61:9c:
>                     66:b4:03:a5:93
>                 ASN1 OID: prime256v1
>                 NIST CURVE: P-256
>         X509v3 extensions:
>             X509v3 Subject Key Identifier:
> D5:09:1A:48:F2:D8:F8:30:46:26:38:78:C8:C2:C5:CD:01:A7:1D:57
>             X509v3 Authority Key Identifier:
> keyid:D5:09:1A:48:F2:D8:F8:30:46:26:38:78:C8:C2:C5:CD:01:A7:1D:57
>
>             X509v3 Basic Constraints: critical
>                 CA:TRUE
>             X509v3 Key Usage: critical
>                 Certificate Sign, CRL Sign
>             X509v3 Subject Alternative Name:
>                 email:[hidden email]
>     Signature Algorithm: ecdsa-with-SHA256
>          30:46:02:21:00:ed:b6:ea:93:b5:df:b2:30:fe:17:fc:a6:fa:
>          0e:c1:08:82:9a:84:59:a9:a6:5c:50:23:66:72:c0:da:7a:18:
>          5b:02:21:00:8b:f1:52:ea:dd:44:88:a6:ee:43:cd:29:52:e4:
>          27:57:ee:52:a2:47:86:6f:9e:11:9d:7d:72:a5:08:82:8f:14
>
>
>
> On 08/17/2017 09:23 PM, Robert Moskowitz wrote:
>> NO does not work.  It worked because I had the old root CA cert
>> there.  Without it it fails.
>>
>> I tried adding -selfsign and that did something, but did not create a
>> trusted cert...
>>
>>
>> On 08/17/2017 08:44 PM, Robert Moskowitz wrote:
>>> Kind of...
>>>
>>> Does not put SAN in CA cert:
>>>
>>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>>       -new -x509 -days 7300 -sha256 -extensions v3_ca -out
>>> certs/ca.cert.pem
>>>
>>> Does put SAN in CA cert:
>>>
>>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>>       -new -sha256 -extensions v3_ca -out csr/ca.csr.pem
>>>
>>> openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300
>>> -notext -md sha256 \
>>>       -in csr/ca.csr.pem -out certs/ca.cert.pem
>>>
>>> Interesting that the single step does not work, but the 2 step doesn.
>>>
>>> Do I need -extensions v3_ca in both commands?  Plus sha256 in both?
>>> Could benefit from some refinement.  Or getting the 1 step working.
>>>
>>> Good enough for now!
>>>
>>> Bob
>>>
>>>
>>> On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
>>>> On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz
>>>> <[hidden email]> wrote:
>>>>> I guess I am making progress.  I am not getting SAN into the root
>>>>> cert.  my
>>>>> cnf has in it:
>>>>>
>>>>> [ req ]
>>>>> # Options for the `req` tool (`man req`).
>>>>> default_bits        = 2048
>>>>> prompt              = no
>>>>> distinguished_name  = req_distinguished_name
>>>>> string_mask         = utf8only
>>>>> req_extensions      = req_ext
>>>>>
>>>>> [ req_ext ]
>>>>> #subjectAltName = email:$ENV::adminemail
>>>>> #subjectAltName = email:[hidden email]
>>>>> subjectAltName = IP:192.168.24.1
>>>>>
>>>>> I tried all three above alternatives for SAN.  No SAN in the root
>>>>> cert
>>>>> created with:
>>>>>
>>>>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>>>>        -new -x509 -days 7300 -sha256 -extensions v3_ca -out
>>>>> certs/ca.cert.pem
>>>>>
>>>>> Thanks for any insight.
>>>>>
>>>>> This type of cnf worked for creating a CSR and with the copy
>>>>> option the SAN
>>>>> made it into the cert.
>>>> It looks a bit unusual for a Root CA.
>>>>
>>>> As far as signing the CSR, you need
>>>>
>>>>      copy_extensions = copy
>>>>
>>>> Jeff
>>>
>>
>

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users