Reputation: 3264
Subject Alternative Name is not copied to signed certificate
I use self-signed CA cert to sign other certificates. For some certs I need to specify subject alternative names. I can specify them during request generation (openssl req ...) and I see them in .csr file. Then I sign it with CA cert using
openssl x509 -req -extensions x509v3_config -days 365 -in ${name}.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ${name}.crt
and next sections in openssl.cnf file:
[ x509 ]
x509_extensions = x509v3_config
[ x509v3_config ]
copy_extensions = copy
but I see no SAN in .crt file.
I know about solutions with openssl ca ... command but I have no valid [ca] section and I don't want to copy/paste it without deep understanding what it does. So I hope that exists another solution with openssl x509 ... command.
Upvotes: 20
Views: 19417
Answers (5)
Reputation: 91
There is a good documentation here : Certificates
You will need to compose an openssl conf file while creating a x509 cert request like this:
create CSR
openssl req -new -key server.key -out server.csr -config csr.conf
sign CERT
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.conf
Upvotes: 2
Reputation: 3941
Currently (2023), the accepted answer is no longer true, as it is indeed possible to use copy_extensions with openssl's x509 command since OpenSSL v3.
Docs: https://www.openssl.org/docs/manmaster/man1/openssl-x509.html
So, with OpenSSL version 3 upwards, you can now copy the extensions you previously defined in your signing request by doing something like this:
openssl x509 -req \
-copy_extensions copyall \
-days 365 \
-in my.csr \
-signkey ca.key \
-out my.crt
Upvotes: 3
Reputation: 51
You can now use the copy_extensions flag to resolve this issue. so the right way to use it as a flag like given below:
-copy_extensions=copyall
Note that value can be different according to the requirement.
Upvotes: 5
Reputation: 69
Sorry, I can't comment (yet).
In addition to @frasertweedale :
I generated my server-certificate with a config file
openssl req -new -out certificate.csr -key certificate_private_key.pem -sha256 -days 1825 -config certificate.conf
I then did
Instead, you should specify the exact extensions you want as part of the OpenSSL x509 command, using the same directives you used for OpenSSL req.
with the following command (I used the same .conf-file again):
openssl x509 -req -in certificate.csr -CA ca-root-public-certificate.pem -CAkey ca-key.pem -CAcreateserial -out certificate_public.pem -sha256 -days 1825 -extfile certificate.conf -extensions v3_req
Upvotes: 6
Reputation: 5684
The copy_extensions directive is only understood by the openssl ca command. There is no way to copy extensions from a CSR to the certificate with the openssl x509 command.
Instead, you should specify the exact extensions you want as part of the openssl x509 command, using the same directives you used for openssl req.
Upvotes: 14
Related Questions
- OpenSSL Certificate (Version 3) with Subject Alternative Name
- add or create 'Subject Alternative Name' field to self-signed certificate using makecert
- How to Check Subject Alternative Names for a SSL/TLS Certificate?
- Invalid self signed SSL cert - "Subject Alternative Name Missing"
- Subject Alternative Name not present in certificate
- How to display the Subject Alternative Name of a certificate?
- Specify Subject Alternative Name when generating a self signed certificate
- SubjectAltName is not getting added in the CSR
- SubjectAltName otherName with binary value
- SSL Certificate: How to deal with Common Name and Subject Alternative Name?