Home › Add an subject alternative name to SSL certificate with openssl

Add an subject alternative name to SSL certificate with openssl 

Dr. Xi
Joined:
04/09/2007
Posts:
753

March 31, 2011 15:03:26    Last update: April 01, 2011 12:34:50
  1. Create an openssl configuration file which enables subject alternative names (openssl.cnf): 
    [req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40

[v3_req] 
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1   = www.foo.com
DNS.2   = www.bar.org
IP.1    = 192.168.1.1
IP.2    = 192.168.69.144


  2. Create a certificate request using above configuration file: 
    C:\work>openssl req -new -key testServer.key -out testServer.csr -config openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
Locality Name (eg, city) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:


  3. Verify the request was created successfully: 
    C:\work>openssl req -text -noout -in testServer.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ca:c4:8d:8d:0d:69:48:c7:4f:4e:ea:e6:c3:36:
                    2d:7c:a5:96:96:c4:db:a3:4b:0c:b2:d9:0d:b6:af:
                    eb:4d:4b:31:32:f8:b5:74:6b:7f:77:46:0a:ac:9b:
                    3c:d7:a9:88:40:41:49:c9:e4:d8:ce:57:0d:ef:77:
                    d8:a2:45:c6:20:ea:f3:c0:59:94:20:4a:16:0a:c7:
                    ac:4e:48:b7:a3:35:1c:40:0e:ba:93:8f:5d:43:e0:
                    f2:6d:3b:9a:12:c4:1e:4d:19:48:9f:35:92:89:b1:
                    e6:96:a9:8e:b2:8d:a3:13:f3:6c:61:28:13:75:03:
                    db:04:79:11:46:00:b8:79:0b
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Key Usage:
                Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:www.foo.com, DNS:www.bar.org, IP Address:192.168.1.1, IP Address:192.168.69.144
    Signature Algorithm: sha1WithRSAEncryption
        6d:9a:35:5c:23:74:71:1a:ea:d0:69:f7:13:c9:d7:7c:4c:1d:
        b7:b5:82:76:3d:c3:20:fd:9a:1b:b6:18:b1:58:14:0c:b7:77:
        54:a8:99:eb:aa:bc:bc:02:f2:ba:71:16:97:9c:0a:74:ff:b9:
        2c:c1:87:2a:27:59:23:ff:02:4e:d3:44:26:68:42:03:c9:c1:
        38:65:ad:7b:e5:e7:08:58:d3:fc:06:b9:1d:e9:33:b0:b0:04:
        e5:4c:92:16:54:31:58:77:6f:f5:37:15:27:7b:a3:7b:da:b5:
        18:74:d1:39:0b:f5:37:25:f1:a1:96:d9:36:35:b3:3e:65:9e:
        92:1f


  4. (Optional) self-sign the certificate request: 
    C:\work>openssl x509 -req -days 3650 -in testServer.csr -signkey testServer.key \
-out testServer.crt -extensions v3_req -extfile openssl.cnf
Signature ok
subject=/C=US
Getting Private key

Share |
| Comment  | Tags
 

Related Notes