Before using the cert, test it with the command: openssl x509 -in yourcert.cer -noout -text
If the parameters were in the right place, you should see all the extra names as
"SubjectAlternativeName" attributes in the cert. On 8/31/2011 11:52 PM, Hopkins, Nathan wrote:
Many thanks, however afraid no joy yet. After editing and adding @alt_names for a custopenssl.cnf and running openssl req -new -key server.key -out server.csr -config custopenssl.cnf when trying to access through a browser (firefox) I get the error code: ssl_error_bad_cert_domain. We are using Tomcat and the server.xml has the following attributes populated with correct values; keystorePass="<my password>" keystoreFile="<my file location>" keyAlias="tomcat" I have also observed when viewing the certificates I am unable to see any references to the alt_names added, I have double checked the CA certificate created with below steps has been successfully added to Authorities and for the CN it works as expected. Anything I'm missing? -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: 31 August 2011 17:23 To: openssl-users@openssl.org Subject: Re: Becoming a CA for group of internal servers? On 8/31/2011 5:57 PM, Hopkins, Nathan wrote:Thanks this is very helpful! Now I have the challenge of using multiple hostnames - any advice onhowI could do this would be much appreciated? I'd like to have one cert that allows me to use below for example; https://sitename https://site.dom.co.ukSet the CN= (common name) part of the subject name to the most used name, e.g. "site.dom.co.uk" In openssl.conf in the same section that contains your "basicConstraints" add this line subjectAltName = @alt_names And add this section: [alt_names] DNS.1=site.com.co.uk DNS.2=sitename DNS.3=sitename.yourinternaldomain.example IP.1=10.11.12.13 ; etc.-----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 19 August 2011 02:40 To: openssl-users@openssl.org Subject: RE: Becoming a CA for group of internal servers?From: owner-openssl-us...@openssl.org On Behalf Of Hopkins,NathanSent: Thursday, 18 August, 2011 06:45 Please can you advise if this the correct process for becoming aCAfor internally for group of servers?With slight fixes it is ONE correct way. There are others.openssl genrsa -des3 -out ca.key 2048 openssl req -new -x509 -key ca.key -out ca.crtThis will give your CA cert a lifetime of only 30 days, and when it expires the cert(s) you signed under it will be rejected by any good relier. You want to make the CA cert lifetime AT LEAST as long as any child cert, but only as long as you expect to keep its key secure. Add -days number as applicable on the 'req -new -x509'.openssl genrsa -des3 -out server.key 2048 openssl req -new -key server.key -out server.csropenssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial server.crt -days 365-CAcreateserial is only needed on the first, but due to some, er, interesting defaults it does no harm on the others. Need -out before server.crt (or whatever.crt).How do you omit a pass phrase in step 2) ?If you don't want a passphrase on the server key, omit -des3 from the genrsa step for the server key. Then make sure no one but the desired server (and you) ever has access to the file.The -days 365 doesn't seem to work - do I need to changeopenssl.cnf? -days should work for 'x509 -req' (and 'req -x509'). You do change the config file (openssl.cnf or perhaps other) IF you use 'ca'. What makes you think it didn't work? Are you looking at the period of the server cert (not the CA cert, see above about that)?Where does the public key live ?There is one public key for each private key, aka keypair. It is effectively incorporated in the private key which you generated by genrsa and put in *.key; for the CA you used 'req -new -x509' which then puts the public key plus other info (directly) in thecertificate.Otherwise 'req' puts the public key plus other info in the request *.csr; 'x509 -req' function copies the public key and (most) other info from the request into the certificate. You can see the contents of a csr with: openssl req -in file -text -noout and of a cert with: openssl x509 -in file -text -noout You can extract the public key from an RSA private key with openssl rsa -in file -pubout [ -out file2 ] or (any type) from a certificate with openssl x509 -in file -pubkey -noout [ -out file2 ] but there's very little you can do with a public key by itself. Usually you want the cert containing it. That's why certs exist. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
