> From: owner-openssl-users On Behalf Of Anders Larsson > Sent: Tuesday, December 03, 2013 17:20 <snip> > Im trying to use subjectAltName when im generating a csr on the > commandline. > > I been trying with the "-reqexts" flag, but im only getting errors.... > 'Openssl req -new -key debug.key -passin pass:abcd -out debug.csr -subj > '/C=SE/ST=Stockholm/L=Stockholm/O=ABC/OU=IntSys/CN=some.dns.stuff.int/' - > reqexts subjectAltName=DNS:xyz.host.name.cc.int' > As Ryan answered, -reqexts specifies a section of the config file, so there must be a config file.
> All it gives is a: "Error Loading request extension section > subjectAltName=DNS:xyz.host.name.cc.int > > The config file is an option that seems to work, but I have not been able to mix > config file with cmd-line parameters....As soon as I try the openssl req seems to > require the subject to be inside the config file :-/ > Be clear if you mean subject or SAN. They are different. Subject in req -new can be done 3 ways: - actual values in the config file, with prompt=no in the config file - prompts in the config file, and you answer interactively, or you pipe or redirect from somewhere but that's very fragile - -subj on the command line, but you must still have a section in the config file with at least one entry even though it isn't used And as someone pointed out to me recently, with -subj you can create an EMPTY subject, which req won't do the other ways. RFC 5280 allows cert subject to be empty when SAN is used, and some (many?) people consider this preferable. That doesn't necessarily mean *CSR* subject must be empty, since a CA could discard CSR subject when issuing cert . I could even see a plausible use case for this; CA might do validation of the requestor based partly on CSR.subject. SAN extension in req -new can only be done from config file. > The CA used is an internal one. > > Is it possible, and if so, how do I format the cmd-line to make it accept x509 > extensions from the cmd-line? > Be careful of this one too. Although X.509 defines some (not all) of the extensions used in CSRs and certs, and CRLs, openssl often uses x509 to mean specifically certs. In particular for 'req', x509_extensions in the config file is used for a selfsigned cert created with -new -x509, while req_extensions is used for a CSR. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
