1

My CSR has SAN names listed but when I generate the certificate in openssl they are not being copied into the certificate.

openssl.cnf setting are:

[ req ]

default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
req_extensions = v3_req

[ CA_default ]

# Extension copying option: use with caution.
copy_extensions = copy

[ v3_req ]

# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment,dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alternate_names

[alternate_names]

DNS.1 = ocmcUmtsPn-qa.stholdco.com
DNS.2 = ocmcUmtsSsu-qa.stholdco.com
DNS.3 = ocmcCdmaPn-qa.stholdco.com
DNS.4 = ocmcCdmaPn-qa.stholdco.com
DNS.5 = ocmcMessaging-qa.stholdco.com
DNS.6 = ocmcData-qa.stholdco.com

What am I doing wrong?

jww
  • 97,681
  • 90
  • 411
  • 885
user3071814
  • 11
  • 3
  • Show us the command you are using to generate the CSR and perform the signing. Also, you don't want `dataEncipherment` because you don't want folks using the server's public key for bulk encryption. `digitalSignature, keyEncipherment` is fine. Related: here's the CONF file I use and the commands I use: [How do I edit a self signed certificate...](http://stackoverflow.com/questions/26019957/how-do-i-edit-a-self-signed-certificate-created-using-openssl-xampp). – jww Sep 25 '14 at 04:54
  • here is the command openssl ca -out certificates/ocmcconsole-qa.pem -extensions v3_req -config ./openssl.cnf -infiles requests/ocmcconsole-qa.pem I was grasping at straws using an example i found on the internet. – user3071814 Sep 26 '14 at 12:45

1 Answers1

1

Your configuration file is nearly perfect. Your "CA_default" section has the correct copy_extensions setting. You only need to add these two lines, which will tell OpenSSL to use the settings in the "CA_default" section.

[ ca ]
default_ca      = CA_default

Alternatively, you can pass in a -name CA_default argument.

iforapsy
  • 302
  • 2
  • 5