cmd line and subjectAltName

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

cmd line and subjectAltName

Anders Larsson
Hello.

Im trying to use subjectAltName when im generating a csr on the commandline______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: cmd line and subjectAltName

Ryan Hurst-3
Cant be done, though most CAs dont use this information from the request.

Can do something like this:

rem 8. CN, O, OU1, OU2, E, city and all SAN types /w SHA1 & 2048
echo [ req ]>test8.cnf
echo default_bits = 2048>>test8.cnf
echo prompt = no>>test8.cnf
echo encrypt_key = no>>test8.cnf
echo default_md = sha1>>test8.cnf
echo distinguished_name = dn>>test8.cnf
echo req_extensions = req_ext>>test8.cnf

echo [ dn ]>>test8.cnf
echo CN = test8.com>>test8.cnf
echo emailAddress = [hidden email]>>test8.cnf
echo O = organisation>>test8.cnf
echo L = city>>test8.cnf
echo ST = state>>test8.cnf
echo C = US>>test8.cnf
echo 0.OU= unit1>>test8.cnf
echo 1.OU= unit2>>test8.cnf

echo [ req_ext ]>>test8.cnf
echo subjectAltName = DNS:test8.com, [hidden email], IP:192.168.0.1, RID:1.2.3.4.5.6, URI:/urihere>>test8.cnf
openssl req -new -config test8.cnf -keyout test8.com.key -out test8.com.csr




On Tue, Dec 3, 2013 at 2:10 AM, Anders Larsson <[hidden email]> wrote:
Hello.

Im trying to use subjectAltName when im generating a csr on the commandline______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: cmd line and subjectAltName

Anders Larsson
In reply to this post by Anders Larsson
Hmm somehow the e-mail got cut after 1'st line? :-(

Thanks Ryan for the echo suggestion, but it will just end up in an config file.
Also since im running the CA internally it will use the information.

If there is a -reqexts flag? What use is it if it cannot add extensions?
Especially since a subjectAltName is probably one of the most well used objects?

Or should I completely avoid the cmd-line csr generation "oneliner" and always go for a config file?

With Regards
/Anders

------orginal message below-----
Hello.

Im trying to use subjectAltName when im generating a csr on the commandline.

I been trying with the "-reqexts" flag, but im only getting errors....
'Openssl req -new -key debug.key -passin pass:abcd -out debug.csr -subj '/C=SE/ST=Stockholm/L=Stockholm/O=ABC/OU=IntSys/CN=some.dns.stuff.int/' -reqexts subjectAltName=DNS:xyz.host.name.cc.int'

All it gives is a: "Error Loading request extension section subjectAltName=DNS:xyz.host.name.cc.int

The config file is an option that seems to work, but I have not been able to mix config file with cmd-line parameters....As soon as I try the openssl req seems to require the subject to be inside the config file :-/

The CA used is an internal one.

Is it possible, and if so, how do I format the cmd-line to make it accept x509 extensions from the cmd-line?

With Regards
/Anders


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: cmd line and subjectAltName

Viktor Dukhovni
In reply to this post by Ryan Hurst-3
On Tue, Dec 03, 2013 at 12:29:09PM -0800, Ryan Hurst wrote:

> Cant be done, though most CAs dont use this information from the request.

It can be done in a sense on systems with shells (e.g. bash) that
support command-line ephemeral file-handles.

    $ openssl req -new -config <(
            cat <<-EOF
            [req]
            default_bits = 2048
            prompt = no
            default_md = sha1
            req_extensions = req_ext
            distinguished_name = dn
            [ dn ]
            CN = example.com
            [ req_ext ]
            subjectAltName = ...
            EOF
        ) ...

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: cmd line and subjectAltName

Ryan Hurst-3
Well I provided a windows example of the same approach but it's not purely from the command line.

Ryan Hurst

Sent from my phone, please forgive the brevity.

> On Dec 3, 2013, at 5:20 PM, Viktor Dukhovni <[hidden email]> wrote:
>
>> On Tue, Dec 03, 2013 at 12:29:09PM -0800, Ryan Hurst wrote:
>>
>> Cant be done, though most CAs dont use this information from the request.
>
> It can be done in a sense on systems with shells (e.g. bash) that
> support command-line ephemeral file-handles.
>
>    $ openssl req -new -config <(
>        cat <<-EOF
>        [req]
>        default_bits = 2048
>        prompt = no
>        default_md = sha1
>        req_extensions = req_ext
>        distinguished_name = dn
>        [ dn ]
>        CN = example.com
>        [ req_ext ]
>        subjectAltName = ...
>        EOF
>    ) ...
>
> --
>    Viktor.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: cmd line and subjectAltName

Ryan Hurst-3
In reply to this post by Anders Larsson
You could use a different config file and reference it on the command line.

Reqexts is used to reference a section in a config file.

Ryan Hurst

Sent from my phone, please forgive the brevity.

> On Dec 3, 2013, at 5:19 PM, Anders Larsson <[hidden email]> wrote:
>
> Hmm somehow the e-mail got cut after 1'st line? :-(
>
> Thanks Ryan for the echo suggestion, but it will just end up in an config file.
> Also since im running the CA internally it will use the information.
>
> If there is a -reqexts flag? What use is it if it cannot add extensions?
> Especially since a subjectAltName is probably one of the most well used objects?
>
> Or should I completely avoid the cmd-line csr generation "oneliner" and always go for a config file?
>
> With Regards
> /Anders
>
> ------orginal message below-----
> Hello.
>
> Im trying to use subjectAltName when im generating a csr on the commandline.
>
> I been trying with the "-reqexts" flag, but im only getting errors....
> 'Openssl req -new -key debug.key -passin pass:abcd -out debug.csr -subj '/C=SE/ST=Stockholm/L=Stockholm/O=ABC/OU=IntSys/CN=some.dns.stuff.int/' -reqexts subjectAltName=DNS:xyz.host.name.cc.int'
>
> All it gives is a: "Error Loading request extension section subjectAltName=DNS:xyz.host.name.cc.int
>
> The config file is an option that seems to work, but I have not been able to mix config file with cmd-line parameters....As soon as I try the openssl req seems to require the subject to be inside the config file :-/
>
> The CA used is an internal one.
>
> Is it possible, and if so, how do I format the cmd-line to make it accept x509 extensions from the cmd-line?
>
> With Regards
> /Anders
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: cmd line and subjectAltName

Dave Thompson-5
In reply to this post by Anders Larsson
> From: owner-openssl-users On Behalf Of Anders Larsson
> Sent: Tuesday, December 03, 2013 17:20
<snip>
> Im trying to use subjectAltName when im generating a csr on the
> commandline.
>
> I been trying with the "-reqexts" flag, but im only getting errors....
> 'Openssl req -new -key debug.key -passin pass:abcd -out debug.csr -subj
> '/C=SE/ST=Stockholm/L=Stockholm/O=ABC/OU=IntSys/CN=some.dns.stuff.int/' -
> reqexts subjectAltName=DNS:xyz.host.name.cc.int'
>
As Ryan answered, -reqexts specifies a section of the config file,
so there must be a config file.

> All it gives is a: "Error Loading request extension section
> subjectAltName=DNS:xyz.host.name.cc.int
>
> The config file is an option that seems to work, but I have not been able
to mix
> config file with cmd-line parameters....As soon as I try the openssl req
seems to
> require the subject to be inside the config file :-/
>
Be clear if you mean subject or SAN. They are different.

Subject in req -new can be done 3 ways:
- actual values in the config file, with prompt=no in the config file
- prompts in the config file, and you answer interactively, or you
pipe or redirect from somewhere but that's very fragile
- -subj on the command line, but you must still have a section
in the config file with at least one entry even though it isn't used

And as someone pointed out to me recently, with -subj you can
create an EMPTY subject, which req won't do the other ways.
RFC 5280 allows cert subject to be empty when SAN is used,
and some (many?) people consider this preferable.
That doesn't necessarily mean *CSR* subject must be empty,
since a CA could discard CSR subject when issuing cert .
I could even see a plausible use case for this; CA might do validation
of the requestor based partly on CSR.subject.

SAN extension in req -new can only be done from config file.

> The CA used is an internal one.
>
> Is it possible, and if so, how do I format the cmd-line to make it accept
x509
> extensions from the cmd-line?
>
Be careful of this one too. Although X.509 defines some (not all)
of the extensions used in CSRs and certs, and CRLs, openssl often
uses x509 to mean specifically certs. In particular for 'req',
x509_extensions in the config file is used for a selfsigned cert
created with -new -x509, while req_extensions is used for a CSR.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]