OpenSSL with v3 extensions and subjectAltName question

Tue, 28 Oct 2014 15:13:50 -0700 

Hello,

I've read numerous webpages but I still don't understand many things on how to 
get it working properly.

I'm trying to add a subjectAltName so that my browser won't give me a 
certificate warning whether I access the web server using the fqdn or an IP 
address.

 In many web pages about this topic they write this about the openssl.cnf 
configuration

[ v3_req ]

....

subjectAltName = @alternate_names

which is defined by req_extensions = v3_req

And then

[ alternate_names ]

DNS.1        = example.com

1) My first question is why they all specify a dns as an alternate name ? Here 
it looks like a domain name

I've made some tests and used

[ v3_req ]

....
subjectAltName = IP:1.1.1.1
It looks like things worked fine since I can see this address in this output's 
command (after signing the certificate with my CA)
openssl x509 -noout -text -in myserver.crt
....
X509v3 Subject Alternative Name:
                IP Address:1.1.1.1

2) My second question is that I would like this field to be a bit more dynamic. 
I would like to avoid editing openssl.cnf everytime. When I generate a 
certificate, the system prompts me for many fields including the cn. I would 
like it to prompt for the subjectAltName too. How can I do this ?

Actually I've tryed to add "subjectAltName = Alternative names (comma seperated 
list)" in the [ req_distinguished_name ] section defined by distinguished_name 
= req_distinguished_name and it prompts me for that field but it's never 
exported as a X509v3 Subject Alternative Name if I do that.

For the signature I use this command line

openssl x509 -extfile /etc/ssl/openssl.cnf -extensions v3_req -req -days 730 
-in myserver.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial -out myserver.crt

3) My openssl is compiled to read the configuration file /etc/ssl/openssl.cnf 
by default when I generate certificates.

In that latest command I had to add -extfile /etc/ssl/openssl.cnf explicitly 
otherwise the X509v3 extensions are not added. Why openssl doesn't look at 
/etc/ssl/openssl.cnf automatically as it does for some other actions.

PS: I read the man which states that it defaults to x509_extensions but didn't 
understand that fully.

Thank you for your answers
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to