Many thanks! - I now see the S-A-N in the signed cert :) Next challenge is I'd like to create a pkcs12 file as below ... openssl pkcs12 -export -in server.crt -inkey server.key -name tomcat -passout pass:changeit -out serverkeystore.pfx
However when I view with ... openssl pkcs12 -in serverkeystore.pfx -info I can't see S-A-N within the .pfx? -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 01 September 2011 23:16 To: openssl-users@openssl.org Subject: RE: Becoming a CA for group of internal servers? > From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan > Sent: Thursday, 01 September, 2011 17:43 > Many thanks again, okay a little progress now... after creating the > request by running; > > openssl req -new -key server.key -out server.csr -config customopenssl.cnf > > then viewing with; > > openssl req -in server.csr -text -noout > > I can see the S-A-N. > > However when I then sign with; > > openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key > -CAcreateserial -out server.crt -days 365 > > And then view with; > > openssl x509 -in server.crt -text -noout > > I do not see the S-A-N? > As I said, 'x509 -req' does NOT use the extensions in the CSR. You need to use -extfile and possibly -extensions (not -extsect as I mistyped in the other message) *on 'x509 -req'*. Specifically, if you have subjectAltName=@something in [v3_req], as you normally would for 'req -new', just add -extfile customopenssl.cnf -extensions v3_req Or you can put extensions=v3_req in the default section (which I notate [] but actually has no [x] line at all), or put the subjectAltName=@something directly in default, and use just -extfile customopenssl.cnf Or you could use 'ca' instead, but I think you're closer this way. > I assume I should I expect to see this in the signed .crt? Once you get it right, yes. > When I created my ca.crt I did not have an updated > customopenssl.cnf do > I need to re-create my ca.crt? > No change in the CA cert (or key) is needed. The items/sections you've been changing in your .cnf are for the child CSRs & certs. > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson > Sent: 01 September 2011 20:51 > To: openssl-users@openssl.org > Subject: RE: Becoming a CA for group of internal servers? > > > From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, > Nathan > > Sent: Wednesday, 31 August, 2011 21:32 > > > I tested with below, all looks good. After running I am > converting > > to .der files and generating a keystore with ImportKey.java - > > could this be removing what is needed? > > "looks good" means 'x509 -text -noout' DOES show S-A-N? > > If it's in the cert at all, it's within the signed part, > so nothing that processes the cert can remove or modify it > without invalidating the signature, which should cause > (hopefully obvious) errors whenever it is used for anything. > > > From: owner-openssl-us...@openssl.org > <owner-openssl-us...@openssl.org> > > > Before using the cert, test it with the command: > > > openssl x509 -in yourcert.cer -noout -text > > > If the parameters were in the right place, you should see all > the > extra > > names as > > "SubjectAlternativeName" attributes in the cert. > > > On 8/31/2011 11:52 PM, Hopkins, Nathan wrote: > <snip> > > > I have also observed when viewing the certificates I am unable > to > see > > > any references to the alt_names added, I have double checked > the > CA > > > certificate created with below steps has been successfully > added > to > > > Authorities and for the CN it works as expected. > > 'viewing the certificates' where and how? > If it's in a java keystore, keytool -list -v should show all > extensions > including S-A-N. > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
