问题
I have generated a CSR that includes the field subject alt names:
openssl req -out mycsr.pem -new -key mykey.pem -days 365
When I inspect this it looks as expected with a new field present:
X509v3 Subject Alternative Name:
DNS: my.alt.dns
However when I use this to sign a certificate that field is omitted for some reason.
I generate it with the following command:
openssl ca -out mycert.pem -infiles mycsr.pem
Can it be that my CA cert have to include the same Alt name for it to be included?
回答1:
You can use:
copy_extensions = copy
under your CA_default section in your openssl.cnf.
but only when you're sure that you can trust the extensions in the CSR as pointed out in this thread: http://openssl.6102.n7.nabble.com/subjectAltName-removed-from-CSR-when-signing-td26928.html
See also: How can I generate a self-signed certificate with SubjectAltName using OpenSSL?
回答2:
For everybody, who doesn´t like to edit the system-wide openssl.conf, there´s a native openssl CLI option for adding the SANs to the .crt from a .csr. All you have to use is openssl´s -extfile and -extensions CLI parameters.
Here´s an example:
openssl x509 -req -days 3650 -in alice.csr -signkey aliceprivate.key -out alice.crt -extfile alice-csr.conf -extensions v3_req
This requires a alice-csr.conf file, which looks like this (fill in your appropriate data) and which was used to generate the .csr with the command openssl req -new -key aliceprivate.key -out alice.csr -config alice-csr.conf:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
ST = Thuringia
L = Erfurt
O = Alice Corp
OU = Team Foo
CN = server-alice
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = server-alice
DNS.2 = localhost
Keep in mind, that the -extensions v3_req option corresponds to the [v3_req] section in the file alice-csr.conf, where you define you Subject Alternative Names aka the domains, which you want to issue your certificate to.
As I always appreciate fully comprehensible examples, where one could reproduce every step, I created an example project featuring Spring Boot microservices: https://github.com/jonashackt/spring-boot-rest-clientcertificates-docker-compose
回答3:
Signing a CSR with alt names is described here well: https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html#creating-certificates-valid-for-multiple-hostnames
In short words, you create a something.ext file containing just the alt names:
subjectAltName = DNS:*.my.alt.dns, DNS:my.alt.dns
and then refer to this file in openssl x509 -req ... command: -extfile something.ext. Note that it happens when signing the CSR, not when preparing it.
来源:https://stackoverflow.com/questions/30977264/subject-alternative-name-not-present-in-certificate