Hello people, I have a problem when a make a PKCS#10 CSR with openssl and try to use it in openca. This is what I am doing.
I have a configuration file (my.cnf):
n...@nico-laptop:~/openssl/new$ more my.cnf
[ req ]
default_bits = 1024
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
prompt = no
req_extensions = v3_req
utf8 = yes # automatically added
string_mask = utf8only # automatically added
[ req_distinguished_name ]
commonName = www.test.com
localityName = My_Locality
organizationalUnitName = My_Unit
organizationName = My_Organization
countryName = AR
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature,
keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
email.0 = [email protected]
DNS.1 = www.test.com
DNS.2 = www.test.net
DNS.3 = www.test.org
n...@nico-laptop:~/openssl/new$
With this file I create the CSR with the following command:
+ openssl req -new -nodes -keyout ./priv.key -out ./req.csr -config ./my.cnf
+ openssl req -out req.pem -in req.csr -config my.cnf
This is the output:
n...@nico-laptop:~/openssl/new$ openssl req -new -nodes -keyout
./priv.key -out ./req.csr -config ./my.cnf
Generating a 1024 bit RSA private key
..................++++++
.............++++++
unable to write 'random state'
writing new private key to './priv.key'
-----
n...@nico-laptop:~/openssl/new$
n...@nico-laptop:~/openssl/new$ openssl req -out req.pem -in req.csr
-config my.cnf
n...@nico-laptop:~/openssl/new$
Then I inspect the content of the request and I can see it's all ok:
n...@nico-laptop:~/openssl/new$ openssl req -text -in req.pem
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=www.test.com, L=My_Locality, OU=My_Unit,
O=My_Organization, C=AR
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bb:54:1d:4e:c2:1b:62:88:19:81:76:4e:53:5a:
3b:20:fe:d0:37:1e:ec:cb:15:4f:8e:1c:58:57:31:
be:4d:38:6f:99:79:81:a3:56:8b:f6:c3:2b:21:59:
c4:4e:be:c8:91:9b:5e:32:4b:43:a7:82:17:7a:2a:
3c:dc:3b:5c:72:af:22:d7:60:ad:dd:50:00:c5:8c:
7d:53:fa:fd:af:6c:12:71:2b:4c:0a:f7:5a:d0:65:
a5:7d:45:f1:01:b7:28:ca:c7:39:20:c1:aa:20:6f:
de:dc:6d:18:dd:e1:93:d2:d6:05:32:89:ad:55:41:
22:87:82:dc:97:ae:a9:00:9f
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
email:[email protected], DNS:www.test.com,
DNS:www.test.net, DNS:www.test.org
Signature Algorithm: sha1WithRSAEncryption
a7:7d:72:21:cb:3f:d4:4a:1e:ab:20:4e:83:21:d8:0e:fa:87:
5f:03:71:f4:38:4a:2b:60:76:3b:2a:8e:59:5a:a6:2f:70:28:
6c:71:e1:90:4d:a9:19:9b:76:a5:b0:6b:bf:78:8e:43:81:08:
d4:73:79:c5:72:d0:79:82:b0:56:93:60:58:c6:3b:64:7d:f4:
9c:7c:30:c1:19:6c:56:e1:1c:0c:f2:93:f4:da:e0:8f:12:73:
02:9e:b7:0f:1f:08:3e:a7:ee:6a:7b:d1:56:c6:1d:8c:4c:b5:
1c:61:be:09:5c:cf:f0:89:aa:9e:b3:0b:01:3b:7b:03:45:74:
4e:a9
-----BEGIN CERTIFICATE REQUEST-----
MIICEzCCAXwCAQAwZjEVMBMGA1UEAwwMd3d3LnRlc3QuY29tMRQwEgYDVQQHDAtN
eV9Mb2NhbGl0eTEQMA4GA1UECwwHTXlfVW5pdDEYMBYGA1UECgwPTXlfT3JnYW5p
emF0aW9uMQswCQYDVQQGEwJBUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
u1QdTsIbYogZgXZOU1o7IP7QNx7syxVPjhxYVzG+TThvmXmBo1aL9sMrIVnETr7I
kZteMktDp4IXeio83Dtccq8i12Ct3VAAxYx9U/r9r2wScStMCvda0GWlfUXxAbco
ysc5IMGqIG/e3G0Y3eGT0tYFMomtVUEih4Lcl66pAJ8CAwEAAaBtMGsGCSqGSIb3
DQEJDjFeMFwwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwQgYDVR0RBDswOYENcm9v
dEB0ZXN0LmNvbYIMd3d3LnRlc3QuY29tggx3d3cudGVzdC5uZXSCDHd3dy50ZXN0
Lm9yZzANBgkqhkiG9w0BAQUFAAOBgQCnfXIhyz/USh6rIE6DIdgO+odfA3H0OEor
YHY7Ko5ZWqYvcChsceGQTakZm3alsGu/eI5DgQjUc3nFctB5grBWk2BYxjtkffSc
fDDBGWxW4RwM8pP02uCPEnMCnrcPHwg+p+5qe9FWxh2MTLUcYb4JXM/wiaqeswsB
O3sDRXROqQ==
-----END CERTIFICATE REQUEST-----
n...@nico-laptop:~/openssl/new$
The problem arise when I try to use the request I made before in openca.
I am using OpenCA Server Version 1.0.2.
I use the interface "My certificates" -> "Request a Certificate" ->
"Server Certificate Request (PKCS#10 PEM formatted Request Upload Form)"
to upload my CSR.
When I use the RA Operator interface and open the request I can't see
information about "Subject Alternative Name" field.
The information openca gather from the CSR is:
Request Version 0 (0x0)
Serial Number 37152
Common Name www.test.com
E-Mail n/a
Subject Alternative Name n/a
Role Web Server
Lifetime (days) n/a
Not before (YYMMDDhhmmss) n/a
Not after (YYMMDDhhmmss) n/a
Lifetime check Lifetime would be ok.
LOA Low
Distinguished Name
serialNumber=206,C=AR,O=My_Organization,OU=My_Unit,L=My_Locality,CN=www.test.com
Submitted on Tue Jul 14 23:20:30 2009 UTC
Approved on n/a
Used Identification PIN 25c1cd954c5f9d83bd7b46ecb71c2db0145bc3a8
Modulus (key size) 1024
Public Key Algorithm rsaEncryption
Public Key
Modulus (1024 bit):
00:e3:ab:e5:6f:05:76:94:38:59:b1:76:37:d7:d0:
bc:54:1b:ac:68:b2:89:3f:89:00:ee:12:90:eb:f2:
50:a4:ba:fe:b4:a7:d5:23:d8:ef:c4:ae:22:d4:53:
e1:75:70:42:e1:d5:22:99:f2:0a:3f:31:ca:8c:13:
05:c7:f3:a9:c1:16:18:60:b2:5c:a8:f7:0b:28:fa:
39:75:30:fe:ba:4b:72:c3:dc:3b:4d:6a:c3:b1:16:
ab:31:3e:f6:05:f4:b7:eb:5b:4a:6b:a5:f5:36:e2:
fa:ea:46:33:30:27:39:c6:a1:e9:32:87:4e:06:6b:
92:af:1b:d2:f3:44:d9:34:e9
Exponent: 65537 (0x10001)
Signature Algorithm sha1WithRSAEncryption
What's wrong with this? or How I can do a PKCS#10 with subjectAltName
for openca?
Thanks for reading, any help is very welcome
Nicolas
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge
_______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
