I don't see a dumb mistake with this one....
First, the CSR has multiple SANs:
$ openssl req -text -noout -verify -in servercert.csr
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=XX, ST=XX, L=XX, CN=Test Server/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ce:3d:58:7f:a0:59:92:aa:7c:a0:82:dc:c9:6d:
...
f9:5e:0c:ba:84:eb:27:0d:d9:e7:22:5d:fe:e5:51:
86:e1
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Key Identifier:
1F:09:EF:79:9A:73:36:C1:80:52:60:2D:03:53:C7:B6:BD:63:3B:61
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:example.com, DNS:www.example.com,
DNS:mail.example.com, DNS:ftp.example.com
Netscape Comment:
OpenSSL Generated Certificate
Signature Algorithm: sha256WithRSAEncryption
6d:e8:d3:85:b3:88:d4:1a:80:9e:67:0d:37:46:db:4d:9a:81:
...
76:6a:22:0a:41:45:1f:e2:d6:e4:8f:a1:ca:de:e5:69:98:88:
a9:63:d0:a7
Second, attempt to sign it. Notice the lack of SANs in the verification step.
$ openssl ca -config openssl-ca.cnf -policy signing_policy -extensions
signing_req -out servercert.pem -infiles servercert.csr
Using configuration from openssl-ca.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'XX'
stateOrProvinceName :ASN.1 12:'XX'
localityName :ASN.1 12:'XXXX'
commonName :ASN.1 12:'Test Server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Oct 20 17:44:51 2016 GMT (1000 days)
Third, here's the relevant section from openssl-ca.cnf:
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# subjectAltName = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# subjectAltName=copy
# subjectAltName=dns:copy
Attempting to use `subjectAltName=dns:copy` results in a parse error,
so I know the section is being read.
The disconnect here seems to be I cannot put `subjectAltName =
@alternate_names` (with appropriate section) in the CA's conf. In this
case, the CA has the SANs in the CSR, but it does not have access to
the other conf file with the `alternate_names` section.
Any ides how to proceed?
Thanks in advance.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
