openssl.cnf asking Subject Alternative Names certificates.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl.cnf asking Subject Alternative Names certificates.

Jorge Novo
Hi everyone,

  As most of us know, the Google Chrome Navigator ask about Subject Alternative Name instead the Common Name.

I want to distribute a little openssl.cnf file for creation the CSR files with my specific values and establish the Subject Alternative Name = Common Name. I want yo ask about the CN and assign this value to SAN.

This is my beta openssl.cnf file:

*Sorry for the comments in Spanish

I do not how to set a variable (CN Variable) to assign to SAN value.

-------------------------------- 8< -------------------------------- 8< -----------------------------------
#
# Este fichero genera los CSR de nuestros sistemas con los paremetros
# acordados.
#
# openssl genrsa -aes256 -out www.rra.lan.key 2048 -config opensslMiCasa.cnf
#

# Establecemos un directorio de trabajo, el actual para ser exactos.

dir                             = .

[ req ]
default_bits                    = 2048                          # Size of keys
default_keyfile                 = key.pem                       # name of generated keys
default_md                      = sha256                        # message digest algorithm
string_mask                     = nombstr                       # permitted characters
distinguished_name              = req_distinguished_name
req_extensions                  = v3_req

[ req_distinguished_name ]
# Variable name                         Prompt string
#-------------------------        ----------------------------------
0.organizationName              = Nombre de la Organizacion
organizationalUnitName          = Mi Casa [Desarrollo|Infraestructuras|Laboratorio]
emailAddress                    = Cuenta de Correo
emailAddress_max                = 64
localityName                    = Localidad
stateOrProvinceName             = Comunidad Autónoma
countryName                     = ISO 3166-1 Codigo de País
countryName_min                 = 2
countryName_max                 = 2
commonName                      = Common Name

# Default values for the above, for consistency and less typing.
# Variable name                         Value
#------------------------         ------------------------------
0.organizationName_default      = Mi Casa
organizationalUnitName_default  = Mi Casa Infraestructuras
localityName_default            = Madrid
stateOrProvinceName_default     = Comunidad de Madrid
countryName_default             = ES

[ v3_req ]
basicConstraints                = CA:FALSE
subjectKeyIdentifier            = hash
subjectAltName                  =
-------------------------------- >8 -------------------------------- >8 -----------------------------------

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl.cnf asking Subject Alternative Names certificates.

lists-161
On 10/10/2017 05:40 PM, Jorge Novo wrote:
Hi everyone,

  As most of us know, the Google Chrome Navigator ask about Subject Alternative Name instead the Common Name.

I want to distribute a little openssl.cnf file for creation the CSR files with my specific values and establish the Subject Alternative Name = Common Name. I want yo ask about the CN and assign this value to SAN.

This is my beta openssl.cnf file:

*Sorry for the comments in Spanish

I do not how to set a variable (CN Variable) to assign to SAN value.


In my limited knowledge, you can't copy the CN name into the SAN in the configuration.
Obvious yet clumsy workaround is to have a shell script ask for the FQDN, set a shell variable with the CN value and then recall the ENV variable from inside openssl.cnf, or you can have the script dynamically write/edit opessl.cnf with the user-entered value.

-------------------------------- 8< -------------------------------- 8< -----------------------------------
#
# Este fichero genera los CSR de nuestros sistemas con los paremetros
# acordados.
#
# openssl genrsa -aes256 -out www.rra.lan.key 2048 -config opensslMiCasa.cnf
#

# Establecemos un directorio de trabajo, el actual para ser exactos.

dir                             = .

[ req ]
default_bits                    = 2048                          # Size of keys
default_keyfile                 = key.pem                       # name of generated keys
default_md                      = sha256                        # message digest algorithm
string_mask                     = nombstr                       # permitted characters
distinguished_name              = req_distinguished_name
req_extensions                  = v3_req

[ req_distinguished_name ]
# Variable name                         Prompt string
#-------------------------        ----------------------------------
0.organizationName              = Nombre de la Organizacion
organizationalUnitName          = Mi Casa [Desarrollo|Infraestructuras|Laboratorio]
emailAddress                    = Cuenta de Correo
emailAddress_max                = 64
localityName                    = Localidad
stateOrProvinceName             = Comunidad Autónoma
countryName                     = ISO 3166-1 Codigo de País
countryName_min                 = 2
countryName_max                 = 2
commonName                      = Common Name

# Default values for the above, for consistency and less typing.
# Variable name                         Value
#------------------------         ------------------------------
0.organizationName_default      = Mi Casa
organizationalUnitName_default  = Mi Casa Infraestructuras
localityName_default            = Madrid
stateOrProvinceName_default     = Comunidad de Madrid
countryName_default             = ES

[ v3_req ]
basicConstraints                = CA:FALSE
subjectKeyIdentifier            = hash
subjectAltName                  =
-------------------------------- >8 -------------------------------- >8 -----------------------------------


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl.cnf asking Subject Alternative Names certificates.

Jorge Novo
Hi,

On 13 October 2017 at 12:03, lists <[hidden email]> wrote:
On 10/10/2017 05:40 PM, Jorge Novo wrote:
  As most of us know, the Google Chrome Navigator ask about Subject Alternative Name instead the Common Name.

I want to distribute a little openssl.cnf file for creation the CSR files with my specific values and establish the Subject Alternative Name = Common Name. I want yo ask about the CN and assign this value to SAN.

This is my beta openssl.cnf file:

*Sorry for the comments in Spanish

I do not how to set a variable (CN Variable) to assign to SAN value.


In my limited knowledge, you can't copy the CN name into the SAN in the configuration.
Obvious yet clumsy workaround is to have a shell script ask for the FQDN, set a shell variable with the CN value and then recall the ENV variable from inside openssl.cnf, or you can have the script dynamically write/edit opessl.cnf with the user-entered value.

This is correct, it does not exist any configuration to copy the CN to SNA or
vice versa, although it is weird because, in fact it exists, a configuration to
copy the SMA email address from the distinguished name. This can be
done with these settings subjectAltName=email:copy or
subjectAltName=email:move. With move I can not confirm it.


_Subject Alternative Name_

[...]
The email option include a special 'copy' value. This will automatically include any email addresses contained in the certificate subject name in the extension.
[...]


My solution for this was:

# export Cert_Name=www.micasa.local
# openssl req -new -keyout $Cert_Name.key -out $Cert_Name.csr -config opensslMiCasa.cnf
# unset $Cert_Name




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users