Re: Add SubjAltName to openssl command line?

Thu, 29 Aug 2013 21:37:34 -0700 

On Thu, Aug 29, 2013 at 04:38:17PM -0700, Erich Weiler wrote:

> I was wondering if there was also a way to quickly create a certificate and
> key file in a similar fashion while also designating SubjAltName options on
> the openssl command line?

The bash script below uses inline command file descriptors <(command),
to dynamically construct an ephemeral openssl config file.

It is a bit rough, since e.g. any non-ecdsa algorithm is assumed
to be RSA, and the ECDSA curve is hard-coded, ...  Still you get
the idea.

The output file has correct permissions courtesy of mktemp(1).
Otherwise, you you need to tweak the umask, since openssl's "-out"
option does not disable world/group read on the output file even
when saving private keys.

-- 
        Viktor.

#! /bin/bash

# usage: fqdn out.pem [pkeyalg]

case $3 in
ecdsa)
    tmp=$(mktemp "$2.XXXXXX")
    openssl req -sha256 -new 2>/dev/null \
         -config <(printf "[req]\n%s\n%s\n[dn]\n[exts]\n%s\n[alts]\n%s\n" \
                   "distinguished_name = dn" \
                   "x509_extensions = exts" \
                   "$(printf "%s\n%s\n%s\n%s\n%s" \
                     "basicConstraints        = CA:false" \
                     "extendedKeyUsage        = serverAuth, clientAuth" \
                     "subjectKeyIdentifier    = hash" \
                     "authorityKeyIdentifier  = keyid:always" \
                     "subjectAltName=@alts")" \
                   "DNS=$1") \
         -newkey param:<(openssl ecparam -name prime256v1) \
           -keyout /dev/stdout -nodes \
         -x509 -set_serial 1 -days 0 -subj "/" >> "$tmp" &&
    mv "$tmp" "$2" ;;
*)  tmp=$(mktemp "$2.XXXXXX")
    openssl req -sha256 -new 2>/dev/null \
         -config <(printf "[req]\n%s\n%s\n[dn]\n[exts]\n%s\n[alts]\n%s\n" \
                   "distinguished_name = dn" \
                   "x509_extensions = exts" \
                   "$(printf "%s\n%s\n%s\n%s\n%s" \
                     "basicConstraints        = CA:false" \
                     "extendedKeyUsage        = serverAuth, clientAuth" \
                     "subjectKeyIdentifier    = hash" \
                     "authorityKeyIdentifier  = keyid:always" \
                     "subjectAltName=@alts")" \
                   "DNS=$1") \
         -newkey rsa:2048 \
           -keyout /dev/stdout -nodes \
         -x509 -set_serial 1 -days 0 -subj "/" >> "$tmp" &&
    mv "$tmp" "$2" ;;
esac
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to