On 1/24/2014 6:54 PM, Jeffrey Walton wrote:
I don't see a dumb mistake with this one....First, the CSR has multiple SANs: $ openssl req -text -noout -verify -in servercert.csr verify OK Certificate Request: Data: Version: 0 (0x0) Subject: C=XX, ST=XX, L=XX, CN=Test Server/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ce:3d:58:7f:a0:59:92:aa:7c:a0:82:dc:c9:6d: ... f9:5e:0c:ba:84:eb:27:0d:d9:e7:22:5d:fe:e5:51: 86:e1 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Key Identifier: 1F:09:EF:79:9A:73:36:C1:80:52:60:2D:03:53:C7:B6:BD:63:3B:61 X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:example.com, DNS:www.example.com, DNS:mail.example.com, DNS:ftp.example.com Netscape Comment: OpenSSL Generated Certificate Signature Algorithm: sha256WithRSAEncryption 6d:e8:d3:85:b3:88:d4:1a:80:9e:67:0d:37:46:db:4d:9a:81: ... 76:6a:22:0a:41:45:1f:e2:d6:e4:8f:a1:ca:de:e5:69:98:88: a9:63:d0:a7 Second, attempt to sign it. Notice the lack of SANs in the verification step. $ openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out servercert.pem -infiles servercert.csr Using configuration from openssl-ca.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'XX' stateOrProvinceName :ASN.1 12:'XX' localityName :ASN.1 12:'XXXX' commonName :ASN.1 12:'Test Server' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Oct 20 17:44:51 2016 GMT (1000 days) Third, here's the relevant section from openssl-ca.cnf: #################################################################### [ signing_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional # subjectAltName = optional #################################################################### [ signing_req ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment # subjectAltName=copy # subjectAltName=dns:copy Attempting to use `subjectAltName=dns:copy` results in a parse error, so I know the section is being read. The disconnect here seems to be I cannot put `subjectAltName = @alternate_names` (with appropriate section) in the CA's conf. In this case, the CA has the SANs in the CSR, but it does not have access to the other conf file with the `alternate_names` section. Any ides how to proceed?
This is a common problem with the openssl interface. It is practically a FAQ. There are two methods, either should work: - Temporarily edit/duplicate the CA openssl.conf, adding the alternate specific alternate_names section for the duration of a single signing. - Use the setting to copy *all* extensions from the CSR, and carefully examine each CSR before signing it. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
