subjectAltName cert generation confusion... - Openssl

This is a discussion on subjectAltName cert generation confusion... - Openssl ; Hi After a lot of false starts I have finally managed to generate a cert with a subjectAltName extension. I still don't understand the solution though... Basically I modified the default openssl.cnf file to have x509_extensions = v3_req in the ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: subjectAltName cert generation confusion...

  1. subjectAltName cert generation confusion...

    Hi

    After a lot of false starts I have finally managed to generate a cert
    with a subjectAltName extension. I still don't understand the solution
    though...

    Basically I modified the default openssl.cnf file to have
    x509_extensions = v3_req in the [ req ] section and then then updated
    the v3_req section to list my subjectAltNames. Now when I generate a
    request and self sign it with:

    openssl x509 -req -days 365 -in server.csr -signkey server.pem -out
    server.crt

    ....then all I get is a v1 cert with no extensions section, but if
    instead I use:

    openssl x509 -req -days 365 -in server.csr -signkey server.pem -out
    server.crt -extfile ../openssl.cnf

    (and edit openssl.cnf to have an "extensions=v3_req" line) then I get
    the v3 certificate with what appears to be the correct extensions... wahoo!

    My question is whether it's possible to avoid having to write "-extfile"
    on the signing request above? It's not that the extra typing is a big
    deal, it's just that I have torn my hair out for several days over this
    because all the examples on the web don't seem to have this extra
    stanza? Am I just missing something really simple in my config file to
    avoid needing this on my command line? I would like to try and
    understand why this is necessary if possible please?

    Can someone please also confirm that the CA.pl script supplied with my
    gentoo openssl install will NOT correctly generate certs with a
    subjectAltName?

    Thanks

    Ed W
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: subjectAltName cert generation confusion...

    On Fri, Jun 13, 2008, Ed W wrote:

    > Hi
    >
    > After a lot of false starts I have finally managed to generate a cert with
    > a subjectAltName extension. I still don't understand the solution
    > though...
    >
    > Basically I modified the default openssl.cnf file to have x509_extensions =
    > v3_req in the [ req ] section and then then updated the v3_req section to
    > list my subjectAltNames. Now when I generate a request and self sign it
    > with:
    >
    > openssl x509 -req -days 365 -in server.csr -signkey server.pem -out
    > server.crt
    >
    > ...then all I get is a v1 cert with no extensions section, but if instead I
    > use:
    >
    > openssl x509 -req -days 365 -in server.csr -signkey server.pem -out
    > server.crt -extfile ../openssl.cnf
    >
    > (and edit openssl.cnf to have an "extensions=v3_req" line) then I get the
    > v3 certificate with what appears to be the correct extensions... wahoo!
    >
    > My question is whether it's possible to avoid having to write "-extfile" on
    > the signing request above? It's not that the extra typing is a big deal,
    > it's just that I have torn my hair out for several days over this because
    > all the examples on the web don't seem to have this extra stanza? Am I
    > just missing something really simple in my config file to avoid needing
    > this on my command line? I would like to try and understand why this is
    > necessary if possible please?
    >
    > Can someone please also confirm that the CA.pl script supplied with my
    > gentoo openssl install will NOT correctly generate certs with a
    > subjectAltName?
    >


    There are many examples on the web which are *ancient* and "new" one's derived
    from them.

    If you don't use the -extfile option the 'x509' command does not
    know which extensions to use so defaults to none at all in a (now obsolete) v1
    certificate. You can also include an -extensions v3_req option on the command
    line and avoid having to modify openssl.cnf any further.

    The CA.pl script is the recommended way to generate certificates and should
    make matters easier.

    You can use CA.pl to include subjectAltName. However you need a customised
    openssl.cnf file which you can point to using the OPENSSL_CONF environment
    variable or you could modify the system one but that is not recommended.

    Steve.
    --
    Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
    OpenSSL project core developer and freelance consultant.
    Homepage: http://www.drh-consultancy.demon.co.uk
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: subjectAltName cert generation confusion...

    hi....
    i m getting undefined symbol for my sample server program that is on linux.
    my program is using openssl apis.
    i have installed the openssl 0.9.8g version on the red hat machine
    everything got sucess but still getting the linking errors.
    steps that i followed:
    1- config
    2. make
    3. make install

    finally when i tried my sample with gcc compiler it gives the undefined
    symbol errors.
    like : undefined reference to SSL_library_init.

    plz reply as soon as possible.
    thnx in advance.


    On Sat, Jun 14, 2008 at 9:29 PM, Dr. Stephen Henson
    wrote:

    > On Fri, Jun 13, 2008, Ed W wrote:
    >
    > > Hi
    > >
    > > After a lot of false starts I have finally managed to generate a cert

    > with
    > > a subjectAltName extension. I still don't understand the solution
    > > though...
    > >
    > > Basically I modified the default openssl.cnf file to have x509_extensions

    > =
    > > v3_req in the [ req ] section and then then updated the v3_req section to
    > > list my subjectAltNames. Now when I generate a request and self sign it
    > > with:
    > >
    > > openssl x509 -req -days 365 -in server.csr -signkey server.pem -out
    > > server.crt
    > >
    > > ...then all I get is a v1 cert with no extensions section, but if instead

    > I
    > > use:
    > >
    > > openssl x509 -req -days 365 -in server.csr -signkey server.pem -out
    > > server.crt -extfile ../openssl.cnf
    > >
    > > (and edit openssl.cnf to have an "extensions=v3_req" line) then I get the
    > > v3 certificate with what appears to be the correct extensions... wahoo!
    > >
    > > My question is whether it's possible to avoid having to write "-extfile"

    > on
    > > the signing request above? It's not that the extra typing is a big deal,
    > > it's just that I have torn my hair out for several days over this because
    > > all the examples on the web don't seem to have this extra stanza? Am I
    > > just missing something really simple in my config file to avoid needing
    > > this on my command line? I would like to try and understand why this is
    > > necessary if possible please?
    > >
    > > Can someone please also confirm that the CA.pl script supplied with my
    > > gentoo openssl install will NOT correctly generate certs with a
    > > subjectAltName?
    > >

    >
    > There are many examples on the web which are *ancient* and "new" one's
    > derived
    > from them.
    >
    > If you don't use the -extfile option the 'x509' command does not
    > know which extensions to use so defaults to none at all in a (now obsolete)
    > v1
    > certificate. You can also include an -extensions v3_req option on the
    > command
    > line and avoid having to modify openssl.cnf any further.
    >
    > The CA.pl script is the recommended way to generate certificates and should
    > make matters easier.
    >
    > You can use CA.pl to include subjectAltName. However you need a customised
    > openssl.cnf file which you can point to using the OPENSSL_CONF environment
    > variable or you could modify the system one but that is not recommended.
    >
    > Steve.
    > --
    > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
    > OpenSSL project core developer and freelance consultant.
    > Homepage: http://www.drh-consultancy.demon.co.uk
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >




    --
    regards,
    Vineeta Kumari
    Software engg
    Mobera Systems
    Chandigarh


  4. Re: subjectAltName cert generation confusion...

    I don't see how this is related to my question in the slightest?

    Ed W


    vinni rathore wrote:
    > hi....
    > i m getting undefined symbol for my sample server program that is on
    > linux. my program is using openssl apis.
    > i have installed the openssl 0.9.8g version on the red hat machine
    > everything got sucess but still getting the linking errors.
    > steps that i followed:
    > 1- config
    > 2. make
    > 3. make install
    >
    > finally when i tried my sample with gcc compiler it gives the
    > undefined symbol errors.
    > like : undefined reference to SSL_library_init.
    >
    > plz reply as soon as possible.
    > thnx in advance.
    >
    >
    > On Sat, Jun 14, 2008 at 9:29 PM, Dr. Stephen Henson > > wrote:
    >
    > On Fri, Jun 13, 2008, Ed W wrote:
    >
    > > Hi
    > >
    > > After a lot of false starts I have finally managed to generate a

    > cert with
    > > a subjectAltName extension. I still don't understand the solution
    > > though...
    > >
    > > Basically I modified the default openssl.cnf file to have

    > x509_extensions =
    > > v3_req in the [ req ] section and then then updated the v3_req

    > section to
    > > list my subjectAltNames. Now when I generate a request and self

    > sign it
    > > with:
    > >
    > > openssl x509 -req -days 365 -in server.csr -signkey

    > server.pem -out
    > > server.crt
    > >
    > > ...then all I get is a v1 cert with no extensions section, but

    > if instead I
    > > use:
    > >
    > > openssl x509 -req -days 365 -in server.csr -signkey

    > server.pem -out
    > > server.crt -extfile ../openssl.cnf
    > >
    > > (and edit openssl.cnf to have an "extensions=v3_req" line) then

    > I get the
    > > v3 certificate with what appears to be the correct extensions...

    > wahoo!
    > >
    > > My question is whether it's possible to avoid having to write

    > "-extfile" on
    > > the signing request above? It's not that the extra typing is a

    > big deal,
    > > it's just that I have torn my hair out for several days over

    > this because
    > > all the examples on the web don't seem to have this extra

    > stanza? Am I
    > > just missing something really simple in my config file to avoid

    > needing
    > > this on my command line? I would like to try and understand why

    > this is
    > > necessary if possible please?
    > >
    > > Can someone please also confirm that the CA.pl script supplied

    > with my
    > > gentoo openssl install will NOT correctly generate certs with a
    > > subjectAltName?
    > >

    >
    > There are many examples on the web which are *ancient* and "new"
    > one's derived
    > from them.
    >
    > If you don't use the -extfile option the 'x509' command does not
    > know which extensions to use so defaults to none at all in a (now
    > obsolete) v1
    > certificate. You can also include an -extensions v3_req option on
    > the command
    > line and avoid having to modify openssl.cnf any further.
    >
    > The CA.pl script is the recommended way to generate certificates
    > and should
    > make matters easier.
    >
    > You can use CA.pl to include subjectAltName. However you need a
    > customised
    > openssl.cnf file which you can point to using the OPENSSL_CONF
    > environment
    > variable or you could modify the system one but that is not
    > recommended.
    >
    > Steve.
    > --
    > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
    > OpenSSL project core developer and freelance consultant.
    > Homepage: http://www.drh-consultancy.demon.co.uk
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List
    > openssl-users@openssl.org penssl-users@openssl.org>
    > Automated List Manager
    > majordomo@openssl.org
    >
    >
    >
    >
    > --
    > regards,
    > Vineeta Kumari
    > Software engg
    > Mobera Systems
    > Chandigarh




  5. Re: subjectAltName cert generation confusion...

    Dr. Stephen Henson wrote:
    > The CA.pl script is the recommended way to generate certificates and should
    > make matters easier.
    >
    > You can use CA.pl to include subjectAltName. However you need a customised
    > openssl.cnf file which you can point to using the OPENSSL_CONF environment
    > variable or you could modify the system one but that is not recommended.
    >



    Thanks Stephen

    Can you please give me an example of adding subjectAltName using CA.pl?
    I don't see how I can add the relevant -identity or whatever to the
    command line?

    Cheers

    Ed W
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread