Since OpenSSL 3.0, one can use the -copy_extensions` option of openssl req to copy over any SANs contained in the CSR to the cert being created or use -addext to directly specify extensions without the need to use a config file, or simply use the -x509 and -subj options to build a cert from scratch (without using a CSR) and add extensions on-the-fly, e.g., openssl req -x509 -subj "/CN=test" -key ../prepare2/ca.key - addext "subjectAltName = IP:1.2.3.4, DNS:test.com" -out ee.crt or use the -new option of openssl x509 to build a cert from scratch (without using a CSR) and add extensions on-the-fly, e.g., openssl x509 -new -subj "/CN=test" -key ee.key -extfile <(printf "subjectAltName = IP:1.2.3.4, DNS:test.com") -out ee.crt
Otherwise, as mentioned in the first answer quoted below, the classical way involves a config file - for details see the manual file. Yet even with older OpenSSL versions (such as 1.1.1f) you can do without using a config file, e.g., openssl x509 -req -signkey ee.key -in ee.req -extfile <(printf "subjectAltName = IP:1.2.3.4, DNS:test.com") -out ee.crt or openssl req -x509 -new -key ee.key -subj "/CN=test" -addext "subjectAltName = IP:1.2.3.4, DNS:test.com" -out ee.crt HTH, David On Sat, 2022-05-21 at 06:45 -0400, Michael Richardson wrote: > > Henning Svane <h...@energy.dk> wrote: > > I am using OpenSSL 1.1.1f Is there a way to make a SAN > certificate > > based on the CSR I have created in Exchange. I need a self- > signed > > certificate for testing. > > I'm not exactly sure what you think a SAN certificate is. > I guess one with a SubjectAltName extension. Mostly, all certificates > have > that these days, but whether or not the Subject is entirely filled out > is a > different question. > > To form a self-signed certificate from a CSR, use openssl req. > You may need a configuration file, serial number, expiry and > algorithm. > You'll need access to the private key. > > See: > https://datatracker.ietf.org/doc/html/draft-moskowitz-ecdsa-pki#section-4.2 > > Some of us maintain a document on generated test CAs for ECDSA and > EDDSA > key types at: > https://github.com/henkbirkholz/draft-moskowitz-ecdsa-pki > while it is in the form of an IETF ID, it is not intended for > publication. > > -- > ] Never tell me the odds! | ipv6 mesh > networks [ > ] Michael Richardson, Sandelman Software Works | network > architect [ > ] m...@sandelman.ca http://www.sandelman.ca/ | ruby on > rails [ >
signature.asc
Description: This is a digitally signed message part
