Many thanks, however afraid no joy yet. After editing and adding
@alt_names for a custopenssl.cnf and running openssl req -new -key
server.key -out server.csr -config custopenssl.cnf when trying to access
through a browser (firefox) I get the error code:
ssl_error_bad_cert_domain.
We are using Tomcat and the server.xml has the following attributes
populated with correct values;
keystorePass="<my password>"
keystoreFile="<my file location>"
keyAlias="tomcat"
I have also observed when viewing the certificates I am unable to see
any references to the alt_names added, I have double checked the CA
certificate created with below steps has been successfully added to
Authorities and for the CN it works as expected.
Anything I'm missing?
-----Original Message-----
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm
Sent: 31 August 2011 17:23
To: openssl-users@openssl.org
Subject: Re: Becoming a CA for group of internal servers?
On 8/31/2011 5:57 PM, Hopkins, Nathan wrote:
> Thanks this is very helpful!
>
> Now I have the challenge of using multiple hostnames - any advice on
how
> I could do this would be much appreciated?
>
> I'd like to have one cert that allows me to use below for example;
>
> https://sitename
> https://site.dom.co.uk
>
Set the CN= (common name) part of the subject name to the most used
name, e.g. "site.dom.co.uk"
In openssl.conf in the same section that contains your
"basicConstraints" add this line
subjectAltName = @alt_names
And add this section:
[alt_names]
DNS.1=site.com.co.uk
DNS.2=sitename
DNS.3=sitename.yourinternaldomain.example
IP.1=10.11.12.13
; etc.
> -----Original Message-----
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson
> Sent: 19 August 2011 02:40
> To: openssl-users@openssl.org
> Subject: RE: Becoming a CA for group of internal servers?
>
>> From: owner-openssl-us...@openssl.org On Behalf Of Hopkins,
> Nathan
>> Sent: Thursday, 18 August, 2011 06:45
>> Please can you advise if this the correct process for becoming a
> CA
>> for internally for group of servers?
> With slight fixes it is ONE correct way. There are others.
>
>> openssl genrsa -des3 -out ca.key 2048
>> openssl req -new -x509 -key ca.key -out ca.crt
> This will give your CA cert a lifetime of only 30 days,
> and when it expires the cert(s) you signed under it
> will be rejected by any good relier. You want to make
> the CA cert lifetime AT LEAST as long as any child cert,
> but only as long as you expect to keep its key secure.
> Add -days number as applicable on the 'req -new -x509'.
>
>> openssl genrsa -des3 -out server.key 2048
>> openssl req -new -key server.key -out server.csr
>
>> openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key
>> -CAcreateserial server.crt -days 365
> -CAcreateserial is only needed on the first, but due to some,
> er, interesting defaults it does no harm on the others.
> Need -out before server.crt (or whatever.crt).
>
>> How do you omit a pass phrase in step 2) ?
> If you don't want a passphrase on the server key, omit -des3
> from the genrsa step for the server key. Then make sure no one
> but the desired server (and you) ever has access to the file.
>
>> The -days 365 doesn't seem to work - do I need to change
> openssl.cnf?
>
> -days should work for 'x509 -req' (and 'req -x509'). You do change
> the config file (openssl.cnf or perhaps other) IF you use 'ca'.
>
> What makes you think it didn't work? Are you looking at the period
> of the server cert (not the CA cert, see above about that)?
>
>> Where does the public key live ?
> There is one public key for each private key, aka keypair.
>
> It is effectively incorporated in the private key which you generated
> by genrsa and put in *.key; for the CA you used 'req -new -x509' which
> then puts the public key plus other info (directly) in the
certificate.
> Otherwise 'req' puts the public key plus other info in the request
> *.csr;
> 'x509 -req' function copies the public key and (most) other info from
> the request into the certificate.
>
> You can see the contents of a csr with:
> openssl req -in file -text -noout
> and of a cert with:
> openssl x509 -in file -text -noout
>
> You can extract the public key from an RSA private key with
> openssl rsa -in file -pubout [ -out file2 ]
> or (any type) from a certificate with
> openssl x509 -in file -pubkey -noout [ -out file2 ]
> but there's very little you can do with a public key by itself.
> Usually you want the cert containing it. That's why certs exist.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
