I'm using the OpenSSL command line tool to generate a self signed certificate. It seems to be working correctly except for two issues. I can't get it to create a .cer with a Subject Alternative Name (critical) and I haven't been able to figure out how to create a cert that is Version 3 (not sure if this is critical yet but would prefer learning how to set the version).
Has anyone done this successfully? The default config (.cfg) file has seemingly clear documentation (seen below):
" This stuff is for subjectAltName and issuerAltname. Import the email address. subjectAltName=email:copy "
However this does not work. My hunch is that the subject Alternative Name is not showing up b/c it is not present in the V1 specs, which is why I'm also pursuing setting he version.
Here is the config file I'm using:
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
emailAddress = myEmail@email.com
req_extensions = v3_req
x509_extensions = v3_ca
[req_distinguished_name]
C = [Press Enter to Continue]
C_default = US
C_min = 2
C_max = 2
O = [Press Enter to Continue]
O_default = default
0.OU=[Press Enter to Continue]
0.OU_default = default
1.OU=[Press Enter to Continue]
1.OU_default = PKI
2.OU=[Press Enter to Continue]
2.OU_default = ABCD
commonName = Public FQDN of server
commonName_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName = email:myEmail@email.com
issuerAltName = issuer:copy
I just developed a web based tool that will generate this command automatically based on form input and display the output.
UPDATE: see certificatetools.com
It became so popular that I improved it and published it under its own domain name.
It will not only give you the downloadable .csr, but also provide the openssl commands that were used to generate it, and the needed openssl.cnf configuration options.
Example:
OpenSSL Commands
OpenSSL CSR Config
The
v3_req
is required with the entrysubjectAltName
in the config file. The commandwill insert the SAN into the certificate.
What command did you use to make the CSR certificate request? What command did you use to make the certificate file? Different answers for different circumstances you know.
Maybe you are not putting
subjectAltName=email:copy
in the section
[v3_req]
Maybe you are using openssl x509 to generate the certificate, if so you must use
-extfile /etc/pki/tls/openssl.cnf
because without that it doesnt use your config file
You also might need
-extensions v3_req
command line switch
Alright, none of the other answers on this page worked for me, and I tried every last one of them. What worked for me was a little trick:
when requesting the cert:
and when signing the cert:
So there is no confusion, here is a working script that covers everything from the start, including creating a certificate authority:
We can then verify that the Subject Alternative name is in the final cert:
The pertinent section is:
So it worked! This is a cert that will be accepted by every major browser (including chrome), so long as you install the certificate authority in the browser. Thats ca-cert.crt that you will need to install.
Here is a sample configuration for ngnx that would allow you to use the cert:
I got it to work with the following version (emailAddress was incorrectly placed) :
Notes:
To generate the certificate I used:
issuerAltname
(if you have I'd be interested to know where).issuer:always
isn't recommended forauthorityKeyIdentifier
.email:copy
now works withsubjectAltName
.v3_req
section is superfluous (as well asreq_extensions
line.