Re: [openssl-users] Display CSR w/ subjectAltName

[Viktor Dukhovni]

On Thu, May 23, 2013 at 06:12:39PM +0200, Erwann Abalea wrote:

> Le 23/05/2013 17:41, Craig White a ?crit :
> >I want to be able to view CSR's with subjectAltName's but I
> >can't figure out any way to make it happen. I have poured over the
> >man pages and googled it to death already.
> >
> >openssl req -noout -text -in SOME_FILE.csr
> >
> >gives me the contents of the CSR but not the subjectAltNames
> >embedded in the CSR.
>
> Are you sure there's a SAN extension in the displayed CSR?
> Dump the entire content with asn1parse.

It almost certainly does not:

    $ openssl req -in req+key.pem -text
    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject:
            Subject Public Key Info:
                Public Key Algorithm: id-ecPublicKey
                    Public-Key: (256 bit)
                    pub:
                        04:eb:de:7c:00:c2:58:59:59:1b:29:8a:6a:0b:d1:
                        72:5b:aa:14:2b:2f:7e:47:a3:77:73:de:9e:55:f0:
                        00:98:d5:1b:a2:3f:74:cf:4f:9a:6a:5a:1c:95:f2:
                        55:e8:01:72:cb:ca:37:66:2a:cf:64:0d:3e:ac:1c:
                        65:47:fe:22:ca
                    ASN1 OID: prime256v1
            Attributes:
            Requested Extensions:
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Subject Alternative Name:
                    DNS:example.com
        Signature Algorithm: ecdsa-with-SHA1
             30:45:02:20:04:ff:c2:5b:cf:0a:a0:4f:2e:a8:12:e3:8d:68:
             eb:b9:1e:ce:b0:a5:a6:e0:69:50:c8:84:f6:51:a6:8d:c9:90:
             02:21:00:8e:bd:37:19:9c:ff:7a:69:2d:5a:bf:50:d5:4b:f9:
             63:6b:a6:44:c7:40:55:f5:c1:52:0b:b4:4b:90:4f:a7:2b
    -----BEGIN CERTIFICATE REQUEST-----
    MIIBAjCBqgIBADAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6958AMJYWVkb
    KYpqC9FyW6oUKy9+R6N3c96eVfAAmNUboj90z0+aaloclfJV6AFyy8o3ZirPZA0+
    rBxlR/4iyqBIMEYGCSqGSIb3DQEJDjE5MDcwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
    CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAkGByqGSM49BAEDSAAw
    RQIgBP/CW88KoE8uqBLjjWjruR7OsKWm4GlQyIT2UaaNyZACIQCOvTcZnP96aS1a
    v1DVS/lja6ZEx0BV9cFSC7RLkE+nKw==
    -----END CERTIFICATE REQUEST-----

Generated via:

    #! /bin/bash
    umask 077
    tmp=$(mktemp .req+key.XXXXXX)
    dst=req+key.pem
    openssl req -new -sha1 -subj "/" >> $tmp \
        -newkey param:<(openssl ecparam -name prime256v1) \
            -nodes -keyout /dev/stdout \
        -config <(printf "[req]\n%s\n[dn]\n[exts]\n%s\n" \
                "$(printf "%s\n%s\n" \
                    "distinguished_name=dn" \
                    "req_extensions=exts")" \
                "$(printf "%s\n%s\n" \
                    "extendedKeyUsage=serverAuth,clientAuth" \
                    "subjectAltName=DNS:example.com" \
                    )") &&
    mv $tmp "$dst"

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org