'Re: [opensuse] openssl doesn't include Subject Alternative Name on SSL certificates'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensuse
Subject:    Re: [opensuse] openssl doesn't include Subject Alternative Name on SSL certificates
From:       Alfredo Amaya <alfreito () gmail ! com>
Date:       2016-09-24 12:01:12
Message-ID: CAG5MJ3kFAt=a8xqSfeZPEX=6Uej7ywqZv+T=wVUoN30nytjfuQ () mail ! gmail ! com
[Download RAW message or body]

>> and I don't see the extensions. Do you? How do you see them?
>>
>
> bor@bor-Latitude-E5450:/tmp$ openssl x509 -text -noout -in
> san_domain_com.crt
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 17715959473418646696 (0xf5dbbb472455b4a8)
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
>         Validity
>             Not Before: Sep 24 07:01:29 2016 GMT
>             Not After : Sep 22 07:01:29 2026 GMT
>         Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
> ...
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Basic Constraints:
>                 CA:FALSE
>             X509v3 Key Usage:
>                 Digital Signature, Non Repudiation, Key Encipherment
>             X509v3 Subject Alternative Name:
>                 DNS:kb.example.com, DNS:helpdesk.example.org,
> DNS:systems.example.net, IP Address:192.168.1.1, IP Address:192.168.69.14
>     Signature Algorithm: sha256WithRSAEncryption
> ...
> bor@bor-Latitude-E5450:/tmp$

I finally understand my mistake. In the article you link above I see
another param I was not using:

-extfile /etc/ssl/openssl.cnf

When I execute:

openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey
new.cert.key -days 3650 -extensions v3_req -extfile
/etc/ssl/openssl.cnf

the cert file finally loads the SAN field. Thanks so much Andrei, you
put me on the right way!

And sorry, there's a typo in my first message. My alt_names section
looks like this:

     # Alternatives DNS names for my webserver
     [ alt_names ]

     DNS.1 = server.local
     DNS.2 = *.server.local
     DNS.3 = server
     DNS.4 = *.server
     IP.1 = 192.168.0.110
-- 
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse+owner@opensuse.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic