[opensuse] openssl doesn't include Subject Alternative Name on SSL certificates
![](https://seccdn.libravatar.org/avatar/8a3d7b55975447c9ffb68da37cba2dcf.jpg?s=120&d=mm&r=g)
Hi, I'm using Leap 42.1 and I'm trying enabling SSL on my Apache server. Based on this documentation: https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.ref... I'm trying to generate a self-signed certificate for my own server. So, I make a backup of this file: # cp /etc/ssl/openssl.cnf /etc/ssl/openssl.bak and on the [ req ] section I uncomment the line req_extensions = [ v3_req ] Next, on section [ v3_req ] I add the following line: subjectAltName = @alt_names Besides, at the end of this file I add the [ alt_names ] section: # Alternatives DNS names for my webserver [ alt_names ] DNS.1 = server.local DNS.1 = *.server.local DNS.1 = server DNS.1 = *.server IP.1 = 192.168.0.110 Next, I execute this command (read on documentation above) as root: # openssl req -new > new.cert.csr At this point, if I check the csr file I can see the Subject Alternative Name (SAN) field loaded: # openssl req -text -noout -in new.cert.csr Next step, I execute this command for generating the private key: # openssl rsa -in privkey.pem -out new.cert.key and this one for generating the public cert file: # openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365 Now, if I check this one: # openssl x509 -in new.cert.cert -text -noout I CAN'T SEE the SAN field. Because of this I cannot use a single cert file for enabling SSL on my server for each DNS name. This is anomalous according the documentation available on internet. SAN field must be integrated into the cert file. Is this a bug or am I wrong? Thanks in advance! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/9435667f7160374bc34a8600b686aecd.jpg?s=120&d=mm&r=g)
24.09.2016 05:19, Alfredo Amaya пишет:
Hi, I'm using Leap 42.1 and I'm trying enabling SSL on my Apache server.
Based on this documentation: https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.ref...
I'm trying to generate a self-signed certificate for my own server. So, I make a backup of this file:
# cp /etc/ssl/openssl.cnf /etc/ssl/openssl.bak
and on the [ req ] section I uncomment the line req_extensions = [ v3_req ]
Next, on section [ v3_req ] I add the following line:
subjectAltName = @alt_names
Besides, at the end of this file I add the [ alt_names ] section:
# Alternatives DNS names for my webserver [ alt_names ]
DNS.1 = server.local DNS.1 = *.server.local DNS.1 = server DNS.1 = *.server IP.1 = 192.168.0.110
Next, I execute this command (read on documentation above) as root:
# openssl req -new > new.cert.csr
At this point, if I check the csr file I can see the Subject Alternative Name (SAN) field loaded:
# openssl req -text -noout -in new.cert.csr
Next step, I execute this command for generating the private key:
# openssl rsa -in privkey.pem -out new.cert.key
and this one for generating the public cert file:
# openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365
You need to explicitly tell it to use extensions by using "-extensions v3_req". I do not know if it is possible to set defaults in openssl.cnf here. http://apetec.com/support/GenerateSAN-CSR.htm
Now, if I check this one:
# openssl x509 -in new.cert.cert -text -noout
I CAN'T SEE the SAN field.
Because of this I cannot use a single cert file for enabling SSL on my server for each DNS name. This is anomalous according the documentation available on internet. SAN field must be integrated into the cert file.
Is this a bug or am I wrong?
Thanks in advance!
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/9435667f7160374bc34a8600b686aecd.jpg?s=120&d=mm&r=g)
24.09.2016 09:52, Andrei Borzenkov пишет:
# openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365
You need to explicitly tell it to use extensions by using "-extensions v3_req". I do not know if it is possible to set defaults in openssl.cnf here.
Blush ... just need to read "man x509" ... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/8a3d7b55975447c9ffb68da37cba2dcf.jpg?s=120&d=mm&r=g)
2016-09-24 8:03 GMT+01:00 Andrei Borzenkov <arvidjaar@gmail.com>:
24.09.2016 09:52, Andrei Borzenkov пишет:
# openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365
You need to explicitly tell it to use extensions by using "-extensions v3_req". I do not know if it is possible to set defaults in openssl.cnf here.
(I also tried the solution suggested above and the -extensions v3_req param. It doesn't work) I tried uncommenting the line copy_extensions = copy in the [ CA_default ] section. It doesn't work. I tried adding the line subjectAltName = @alt_names to section [ v3_ca ] too. It doesn't work. It blows my mind!
Blush ... just need to read "man x509" ...
Yeah, you mean the Bugs section? "Extensions in certificates are not transferred to certificate requests and vice versa" End of the road, I guess. :-( -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/9435667f7160374bc34a8600b686aecd.jpg?s=120&d=mm&r=g)
24.09.2016 12:57, Alfredo Amaya пишет:
2016-09-24 8:03 GMT+01:00 Andrei Borzenkov <arvidjaar@gmail.com>:
24.09.2016 09:52, Andrei Borzenkov пишет:
# openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365
You need to explicitly tell it to use extensions by using "-extensions v3_req". I do not know if it is possible to set defaults in openssl.cnf here.
(I also tried the solution suggested above and the -extensions v3_req param. It doesn't work)
It does. I usually test things before explicitly recommend them.
I tried uncommenting the line
copy_extensions = copy
in the [ CA_default ] section. It doesn't work.
I tried adding the line
subjectAltName = @alt_names
to section [ v3_ca ] too. It doesn't work.
It blows my mind!
Blush ... just need to read "man x509" ...
Yeah, you mean the Bugs section?
No. I mean description how to include extensions in certificate by default.
"Extensions in certificates are not transferred to certificate requests and vice versa"
Which is exact reason why you need to tell it to add extensions (and which extensions) when generating certificate.
End of the road, I guess. :-(
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/8a3d7b55975447c9ffb68da37cba2dcf.jpg?s=120&d=mm&r=g)
openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey
new.cert.key -days 365
You need to explicitly tell it to use extensions by using "-extensions v3_req". I do not know if it is possible to set defaults in openssl.cnf here.
(I also tried the solution suggested above and the -extensions v3_req param. It doesn't work)
It does. I usually test things before explicitly recommend them.
How do you check it? I execute: # openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365 -extensions v3_req and then these commands for checking: # openssl x509 -in new.cert.cert -text -noout or # openssl x509 -in new.cert.cert -subject -noout and I don't see the extensions. Do you? How do you see them? Thanks in advance, Andrei. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/9435667f7160374bc34a8600b686aecd.jpg?s=120&d=mm&r=g)
24.09.2016 14:34, Alfredo Amaya пишет:
openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey
new.cert.key -days 365
You need to explicitly tell it to use extensions by using "-extensions v3_req". I do not know if it is possible to set defaults in openssl.cnf here.
(I also tried the solution suggested above and the -extensions v3_req param. It doesn't work)
It does. I usually test things before explicitly recommend them.
How do you check it? I execute:
# openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365 -extensions v3_req
and then these commands for checking:
# openssl x509 -in new.cert.cert -text -noout
or
# openssl x509 -in new.cert.cert -subject -noout
and I don't see the extensions. Do you? How do you see them?
bor@bor-Latitude-E5450:/tmp$ openssl x509 -text -noout -in san_domain_com.crt Certificate: Data: Version: 3 (0x2) Serial Number: 17715959473418646696 (0xf5dbbb472455b4a8) Signature Algorithm: sha256WithRSAEncryption Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd Validity Not Before: Sep 24 07:01:29 2016 GMT Not After : Sep 22 07:01:29 2026 GMT Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:kb.example.com, DNS:helpdesk.example.org, DNS:systems.example.net, IP Address:192.168.1.1, IP Address:192.168.69.14 Signature Algorithm: sha256WithRSAEncryption ... bor@bor-Latitude-E5450:/tmp$ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/8a3d7b55975447c9ffb68da37cba2dcf.jpg?s=120&d=mm&r=g)
and I don't see the extensions. Do you? How do you see them?
bor@bor-Latitude-E5450:/tmp$ openssl x509 -text -noout -in san_domain_com.crt Certificate: Data: Version: 3 (0x2) Serial Number: 17715959473418646696 (0xf5dbbb472455b4a8) Signature Algorithm: sha256WithRSAEncryption Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd Validity Not Before: Sep 24 07:01:29 2016 GMT Not After : Sep 22 07:01:29 2026 GMT Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:kb.example.com, DNS:helpdesk.example.org, DNS:systems.example.net, IP Address:192.168.1.1, IP Address:192.168.69.14 Signature Algorithm: sha256WithRSAEncryption ... bor@bor-Latitude-E5450:/tmp$
I finally understand my mistake. In the article you link above I see another param I was not using: -extfile /etc/ssl/openssl.cnf When I execute: openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 3650 -extensions v3_req -extfile /etc/ssl/openssl.cnf the cert file finally loads the SAN field. Thanks so much Andrei, you put me on the right way! And sorry, there's a typo in my first message. My alt_names section looks like this: # Alternatives DNS names for my webserver [ alt_names ] DNS.1 = server.local DNS.2 = *.server.local DNS.3 = server DNS.4 = *.server IP.1 = 192.168.0.110 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Alfredo Amaya
-
Andrei Borzenkov