18

I use self-signed CA cert to sign other certificates. For some certs I need to specify subject alternative names. I can specify them during request generation (openssl req ...) and I see them in .csr file. Then I sign it with CA cert using 

openssl x509 -req -extensions x509v3_config -days 365 -in ${name}.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ${name}.crt

and next sections in openssl.cnf file:

[ x509 ]
x509_extensions = x509v3_config

[ x509v3_config ]
copy_extensions = copy

but I see no SAN in .crt file.

I know about solutions with openssl ca ... command but I have no valid [ca] section and I don't want to copy/paste it without deep understanding what it does. So I hope that exists another solution with openssl x509 ... command.

Community
  • 1
  • 1
4ybaka
  • 2,954
  • 4
  • 16
  • 21

3 Answers3

13

The copy_extensions directive is only understood by the openssl ca command. There is no way to copy extensions from a CSR to the certificate with the openssl x509 command.

Instead, you should specify the exact extensions you want as part of the openssl x509 command, using the same directives you used for openssl req.

frasertweedale
  • 5,424
  • 3
  • 26
  • 38
6

Sorry, I can't comment (yet).

In addition to @frasertweedale :

I generated my server-certificate with a config file 

openssl req -new -out certificate.csr -key certificate_private_key.pem -sha256 -days 1825 -config certificate.conf

I then did

Instead, you should specify the exact extensions you want as part of the OpenSSL x509 command, using the same directives you used for OpenSSL req.

with the following command (I used the same .conf-file again):

openssl x509 -req -in certificate.csr -CA ca-root-public-certificate.pem -CAkey ca-key.pem -CAcreateserial -out certificate_public.pem -sha256 -days 1825 -extfile certificate.conf -extensions v3_req
timiTao
  • 1,417
  • 3
  • 20
  • 34
schuess
  • 69
  • 1
  • 3
3

There is a good documentation here : Certificates

You will need to compose an openssl conf file while creating a x509 cert request like this:

create CSR

openssl req -new -key server.key -out server.csr -config csr.conf

sign CERT

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.conf
alex007
  • 93
  • 9