RE: Becoming a CA for group of internal servers?

Thu, 01 Sep 2011 12:27:51 -0700 

Great thanks ...

So I've within the openssl.cnf file there are two x509_extensions entries.

First in the [ CA_default ] section...
x509_extensions = usr_cert

Second in the [ req ] section ...
x509_extensions = v3_ca

I have added the values;

SubjectAltName = @alt_names
[alt_names]
DNS.1 = server.domain.com
DNS.2 = server

... in [v3_ca] section and recreated request - is this the correct section?...

openssl req -new -key server.key -out server.csr -config customopenssl.cnf

and signed with self created CA...
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out  
server.crt -days 365

Do I need to add the -config option to the bottom line?


-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Jakob Bohm
Sent: 01 September 2011 18:44
To: openssl-users@openssl.org
Subject: Re: Becoming a CA for group of internal servers?

req_extensions will put the names in a CSR (signing request) file when 
running the "req" command.

x509_extensions will put the names in the actual certificate file when 
running the "x509" command.

On 9/1/2011 7:37 PM, Hopkins, Nathan wrote:
>
> thanks - sorry my previous post wasn't clear enough, the 
> req_extensions value references the section I put the subject. and alt 
> names in...
>
> req_extensions = v3_req
>
> [ v3 req ]
>
> SubjectAltName = @alt_names
>
> Should this work?
>
>
> ----- Original Message -----
> From: owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org>
> To: openssl-users@openssl.org <openssl-users@openssl.org>
> Sent: Thu Sep 01 18:26:42 2011
> Subject: Re: Becoming a CA for group of internal servers?
>
> Ah, there it is.
>
> The "SubjectAltName = @alt_names" line is in the wrong section of your 
> file.
>
> You need to find the line that says "x509_extensions" (There may be more
> than
> one, try to find the one that is used).  That line contains the name of
> another
> section, and that other section is the one that needs to say
> "SubjectAltName = @alt_names" when you are generating the multi-name
> certificate.
>
> The mail you quote below mentions another way that does not involve 
> putting
> the names in an openssl.cnf file, but in another file that looks almost
> like an
> openssl.cnf file.  His example file does not contain multiple names, and
> contains
> some other options that you probably won't need today, making it hard to
> understand.
>
> On 9/1/2011 7:09 PM, Hopkins, Nathan wrote:
> >
> > Apologies I'm not sure I follow what you mean with below;
> >
> > I have copied openssl.cnf to customopenssl.cnf then edited the below
> > lines to allow multiple hosts….
> >
> >
> > req_extensions = v3_req
> >
> > SubjectAltName = @alt_names
> >
> > [alt_names]
> >
> > DNS.1 = server.domain.com
> >
> > DNS.2 = server
> >
> > Do I need to add more?
> >
> >
> >
> > ----- Original Message -----
> > From: owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org>
> > To: openssl-users@openssl.org <openssl-users@openssl.org>
> > Sent: Thu Sep 01 08:00:17 2011
> > Subject: Re: Becoming a CA for group of internal servers?
> >
> >
> > you might want to read the description of the -extfile parameter of
> > the x509 command
> >
> > an excerpt from   curl-7.21.6/tests/certs/scripts/genserv.sh
> > available at  curl.haxx.se
> >
> > $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout
> > $PREFIX-sv.key -out $PREFIX-sv.csr
> > $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key
> > $OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days
> > $DURATION  -CA $CAPREFIX-ca.cacert
> > -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt
> > -text -nameopt multiline -sha1
> >
> > with a $PREFIX-sv.prm like the following
> >
> > extensions = x509v3
> > [ x509v3 ]
> > subjectAltName = DNS:localhost
> > keyUsage    = keyEncipherment
> > extendedKeyUsage = serverAuth
> > subjectKeyIdentifier = hash
> > authorityKeyIdentifier = keyid
> > basicConstraints = critical,CA:false
> > [ req ]
> > default_bits                    = 1024
> > distinguished_name              = req_DN
> > default_md            = sha256
> > string_mask            = utf8only
> > [ req_DN ]
> > countryName                     = "Country Name is Northern Nowhere"
> > countryName_value            = NN
> > organizationName              = "Organization Name"
> > organizationName_value     = Edel Curl Arctic Illudium Research Cloud
> > commonName                      = "Common Name"
> > commonName_value              = localhost
> >
> > [something]
> > # The key
> > # the certficate
> > # some dhparam
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List                    openssl-users@openssl.org
> > Automated List Manager                           majord...@openssl.org
> >
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
:��I"Ϯ��r�m����
(����Z+�K�+����1���x��h����[�z�(����Z+���f�y�������f���h��)z{,���

Reply via email to