11

Is there a way to get a .crt and .key file with the subject alternative name set? I am configuring a proxy with an openssl .crt and .key generated by this command

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout proxy.key -out proxy.crt

I then cat the .key and .crt to get a .pem and use that on the client side. This cert works fine for securing the https connection but I get a warning that the Subject Alternative Name is not set in the certificate. In another client I use the warning is actually an error that terminates the connection.

The solution here https://security.stackexchange.com/a/91556 gives me a .csr which I rename to become the .crt I need, and when I use this with the client the https connection fails on incorrect ssl certificate.

Community
  • 1
  • 1
Hamzeh Alsalhi
  • 403
  • 1
  • 4
  • 10
  • 1
    Possible duplicate of [How to create a self-signed certificate with openssl?](http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl) – jww Oct 15 '15 at 22:35

2 Answers2

16

As per @vog's answer:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout example.key -out example.crt -subj "/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:www.example.net,IP:10.0.0.1"

(note that this is only for OpenSSL >= 1.1.1).

redbeam_
  • 337
  • 2
  • 13
  • 4
    unknown option -addext LibreSSL 2.8.3 – Pavol Travnik Apr 15 '21 at 11:57
  • 1
    @PavolTravnik did you read the note (in the parentheses)? – redbeam_ Apr 15 '21 at 12:01
  • 1
    well it is not a solution for debian nor mac natively because of openssl version - solution probably for a special setup only – Pavol Travnik Apr 15 '21 at 13:00
  • 1
    @PavolTravnik Well, if you’d read the linked answer (from @vog), you would find a command that works on older versions. This question is not tagged with “Debian” nor “macOS”, so I really don’t see why you had to downvote my answer. I even specifically noted that it doesn’t work on older versions and provided a link to my source. Please reconsider. – redbeam_ Apr 15 '21 at 13:12
  • 2
    works perfectly with pure OpenSSL on Ubuntu 21.04! Why use Libre something, when everywhere tagged exactly openssl ? – Reishin Jul 28 '21 at 02:36
  • 2
    @PavolTravnik it's you who use some custom config, works perfectly on ubuntu, centos, fedora out of box – Reishin Jul 28 '21 at 02:37
  • 1
    Thank you for adding an example with multiple DNS entries, it was not so simple to find the correct syntax. Upvoted. – EugeneRomero Aug 30 '21 at 08:23
  • 1
    Worked on RHEL8 – MUY Belgium Apr 04 '22 at 08:48
  • 1
    Happy to say I am seeing the `addext` option in LibreSSL 3.3.6 on Mac OS X – Spencer Williams Dec 06 '22 at 23:51
4

Is there a way to get a .crt and .key file with the subject alternative name set?

Yes, but you cannot do it from the command line. You have to use a CONF file.

For setting the SAN via a CONF file, see How do you sign Certificate Signing Request with your Certification Authority and How to create a self-signed certificate with openssl?. Both include the SAN in the procedures.

Community
  • 1
  • 1
jww
  • 97,681
  • 90
  • 411
  • 885
  • 1
    jww, somehow when I execute the directions in the second link you send me I see that I now have a SAN field in my .crt which is great, but when I cat the cert with they key as a pem to use in my client I get a `SSL: CERTIFICATE_VERIFY_FAILED`. If I do the same exact openssl certificate generation but instead use the default ubuntu openssl.cnf I get a successful connection but with the warning `Certificate has no 'subjectAltName'`. So something about adding the SAN is causing verification to fail. – Hamzeh Alsalhi Oct 16 '15 at 00:19
  • 1
    @HamzehAlsalhi - what user agent? Is this a browser? Or a command line tool, like `s_client`, `wget` or `cURL`? – jww Oct 16 '15 at 00:39
  • 1
    Python requests is what I'm testing with which gives me the SAN warning, java HttpsURLConnection is the end goal but this client errors out on no SAN instead of warning. – Hamzeh Alsalhi Oct 16 '15 at 01:09
  • 1
    *If* you have a certificate with a SAN, then you should probably ask a new question. It sounds like you now have a problem with Python trusting the self signed certificate. Stack Overflow likes to keep questions/answers targeted and concise. It makes it easier on future visitors. – jww Oct 16 '15 at 01:28
  • 1
    you're right, you solved the question I originally asked so I'll accept the answer – Hamzeh Alsalhi Oct 16 '15 at 02:58
  • 1
    this answer is no longer true; https://stackoverflow.com/a/41366949/3961420 – redbeam_ Oct 14 '20 at 00:30