> From: owner-openssl-us...@openssl.org On Behalf Of redpath > Sent: Thursday, 22 August, 2013 09:36
> I have searched the forums for multiple hostnames and commonName. > I cannot get created Certs that are signed by the CA to have > a commonName supplied in the > config instead of the command line. I also want them to have > subjectAltName fields There are four ways to set Subject DN: from the config file with -batch or prompt=no, on the command line using -subj, or stdin when prompted. SAN, like other extensions, can be set from the config file for the *ca*, or from the config file for the request *if* you use 'ca' (you did) and set copy_extensions (you didn't). > too. I have tried the Policy *match* and basically get errors > for it to > create certs. > I am sure there is some tweak here and enclosed the config file. > Policy doesn't change anything in a cert, it only decides if 'ca' will issue a cert at all. > *I assume this would fix the > * "This certificate is not valid (host name mismatch) > Having the right values in Subject and/or SAN should fix that type of error. Which method you use to get the right values shouldn't matter. If you get only one right, RFCs say the relier *should* take SAN in preference to Subject, but I wouldn't be confident all reliers do. > *Create the CA* > > openssl req -new -x509 -days 3650 -extensions v3_ca > -keyout certprivkey.pem -out myCAcert.pem -config myconfig > -batch -passout pass:CApassword > Note: that puts the CA private key in a location different than where your config file below tells 'ca' to look for it. Did you move or copy it to the right place? > *Make a cert and sign it with the CA for SSL usage.* > > openssl req -new -nodes -out my.csr -days 731 -keyout mykey.pem > -batch -extensions v3_OCSP -config myconfig > > openssl ca -out *mycert.pem *-in my.csr -passin pass:CApassword > -batch -extensions v3_OCSP -cert myCAcert.pem -config myconfig > Nit: req -new without -x509 does not make a cert, it makes a Certificate Signing Request aka CSR. *ca* (if no error) makes the cert *from* the CSR, and signs the cert. A CSR is not a cert, although it has some similarities. More serious: if you use the same config file for the CA cert (req -new -x509) and the "mycert" CSR (req -new), with -batch and without -subj, you'll get a child cert with the same Subject as the CA that issued it. THAT WON'T WORK. THEY MUST HAVE DIFFERENT NAMES. If you use -subj or stdin it's easy to give different input; using solely config files you need two config files. > > *I use the command * > openssl x509 -in *mycert.pem* -text > > *To see the subject field which only shows* > Subject: C=US, ST=North Carolina, O=IBM Corporation > > *and* > > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > X509v3 Key Usage: > Digital Signature, Non Repudiation, Key Encipherment > X509v3 Extended Key Usage: > OCSP Signing > > *My sandbox Config file is below <snip> > * As noted there are two ways to set Subject DN from a config file, and you appear to have used an inconsistent hybrid mishmosh which doesn't work. One method is to use req -batch and not -subj, and specify in the DN section (normally and in your case [req_distinguished_name]) at least two lines for each "field" (AVA) e.g. commonName = prompt commonName_default = default or fixed value commonName_min = min optional commonName_max = max optional and specify your values on the "default" lines. The other method is to use prompt=no in the [req] section, and give the fixed values for the attributes directly like commonName = fixed value As for SAN, your config file doesn't request it at all, so it's not surprising you didn't get it. Either: In the config file used by req -new in the extensions section you use (v3_OCSP) add subjectAltName=DNS:name,DNS:name ... and in the config file used by ca in [default_CA] add copy_extensions=copy . Note that this will copy other extensions as well as SAN, so it can be insecure if you process CSRs from anybody who isn't fully trusted. If you yourself do all CSRs presumably you trust yourself. Or: In the config file used by 'ca' in the extensions section you use (v3_OCSP) add the above. This uses the same value for all issued certs, so if you issue certs to multiple systems it's easy to get this wrong. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
