RE: Becoming a CA for group of internal servers?
> From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan > Sent: Thursday, 01 September, 2011 17:43 > Many thanks again, okay a little progress now... after creating the > request by running; > > openssl req -new -key server.key -out server.csr -config customopenssl.cnf > > then viewing with; > > openssl req -in server.csr -text -noout > > I can see the S-A-N. > > However when I then sign with; > > openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key > -CAcreateserial -out server.crt -days 365 > > And then view with; > > openssl x509 -in server.crt -text -noout > > I do not see the S-A-N? > As I said, 'x509 -req' does NOT use the extensions in the CSR. You need to use -extfile and possibly -extensions (not -extsect as I mistyped in the other message) *on 'x509 -req'*. Specifically, if you have subjectAltName=@something in [v3_req], as you normally would for 'req -new', just add -extfile customopenssl.cnf -extensions v3_req Or you can put extensions=v3_req in the default section (which I notate [] but actually has no [x] line at all), or put the subjectAltName=@something directly in default, and use just -extfile customopenssl.cnf Or you could use 'ca' instead, but I think you're closer this way. > I assume I should I expect to see this in the signed .crt? Once you get it right, yes. > When I created my ca.crt I did not have an updated > customopenssl.cnf do > I need to re-create my ca.crt? > No change in the CA cert (or key) is needed. The items/sections you've been changing in your .cnf are for the child CSRs & certs. > -Original Message- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson > Sent: 01 September 2011 20:51 > To: openssl-users@openssl.org > Subject: RE: Becoming a CA for group of internal servers? > > > From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, > Nathan > > Sent: Wednesday, 31 August, 2011 21:32 > > > I tested with below, all looks good. After running I am > converting > > to .der files and generating a keystore with ImportKey.java - > > could this be removing what is needed? > > "looks good" means 'x509 -text -noout' DOES show S-A-N? > > If it's in the cert at all, it's within the signed part, > so nothing that processes the cert can remove or modify it > without invalidating the signature, which should cause > (hopefully obvious) errors whenever it is used for anything. > > > From: owner-openssl-us...@openssl.org > > > > Before using the cert, test it with the command: > > > openssl x509 -in yourcert.cer -noout -text > > > If the parameters were in the right place, you should see all > the > extra > > names as > > "SubjectAlternativeName" attributes in the cert. > > > On 8/31/2011 11:52 PM, Hopkins, Nathan wrote: > > > > I have also observed when viewing the certificates I am unable > to > see > > > any references to the alt_names added, I have double checked > the > CA > > > certificate created with below steps has been successfully > added > to > > > Authorities and for the CN it works as expected. > > 'viewing the certificates' where and how? > If it's in a java keystore, keytool -list -v should show all > extensions > including S-A-N. > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Becoming a CA for group of internal servers?
Many thanks again, okay a little progress now... after creating the request by running; > openssl req -new -key server.key -out server.csr -config customopenssl.cnf then viewing with; > openssl req -in server.csr -text -noout I can see the S-A-N. However when I then sign with; > openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 And then view with; > openssl x509 -in server.crt -text -noout I do not see the S-A-N? I assume I should I expect to see this in the signed .crt? When I created my ca.crt I did not have an updated customopenssl.cnf do I need to re-create my ca.crt? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 01 September 2011 20:51 To: openssl-users@openssl.org Subject: RE: Becoming a CA for group of internal servers? > From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan > Sent: Wednesday, 31 August, 2011 21:32 > I tested with below, all looks good. After running I am converting > to .der files and generating a keystore with ImportKey.java - > could this be removing what is needed? "looks good" means 'x509 -text -noout' DOES show S-A-N? If it's in the cert at all, it's within the signed part, so nothing that processes the cert can remove or modify it without invalidating the signature, which should cause (hopefully obvious) errors whenever it is used for anything. > From: owner-openssl-us...@openssl.org > Before using the cert, test it with the command: > openssl x509 -in yourcert.cer -noout -text > If the parameters were in the right place, you should see all the extra > names as > "SubjectAlternativeName" attributes in the cert. > On 8/31/2011 11:52 PM, Hopkins, Nathan wrote: > > I have also observed when viewing the certificates I am unable to see > > any references to the alt_names added, I have double checked the CA > > certificate created with below steps has been successfully added to > > Authorities and for the CN it works as expected. 'viewing the certificates' where and how? If it's in a java keystore, keytool -list -v should show all extensions including S-A-N. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Becoming a CA for group of internal servers?
On 01-09-2011 21:51, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm Sent: Thursday, 01 September, 2011 13:44 req_extensions will put the names in a CSR (signing request) file when running the "req" command. x509_extensions will put the names in the actual certificate file when running the "x509" command. Small correction: [req]req_extensions will put SubjectAltName (or other) in the CSR for 'req -new' but 'x509 -req' ignores extensions in the CSR. [$default_ca]x509_extensions will put in the cert (regardless of the CSR) *for 'ca' which this OP is not using*. Also for 'ca' [$default_ca]copy_extensions will put extensions from the CSR. My point exactly, I was trying to keep the explanations simple for this user. [] OR []extensions, or -extsec, will put in the cert for 'x509 -req'. But only if -extfile explicit; it doesn't have any config by default. Hmm, the way I read the docs, "-extensions my_exts" should use the extensions from section [my_exts] in openssl.cnf (or the file specified with -config), however I assumed that this part of the users setup was already working when I joined the discussion. On 9/1/2011 7:37 PM, Hopkins, Nathan wrote: thanks - sorry my previous post wasn't clear enough, the req_extensions value references the section I put the subject. and alt names in... req_extensions = v3_req [ v3 req ] SubjectAltName = @alt_names Should this work? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Req with ECDSA key and CA with RSA key
> From: owner-openssl-us...@openssl.org On Behalf Of Rick Lopes de Souza > Sent: Tuesday, 30 August, 2011 15:46 > Another question is: Is there any problem to use a different kind of key > on the request that the Certificate Authority has? No problem, as long as both algorithms (or all for the chain) are supported by the systems using the certificates. > Does Openssl support ecdsa with sha256 and sha512? > Only above of 1.0.0 ? Only 1.0.0 series yes -- at least for generating certs etc. If you want to use a cert signed ECDSA+SHA2 *for TLS* e.g. ECDH-ECDSA-AES256-SHA that was fixed only a few weeks ago http://marc.info/?l=openssl-users&m=131333015717842&w=2 so you currently need a snapshot or patched version. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Becoming a CA for group of internal servers?
> From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm > Sent: Thursday, 01 September, 2011 13:44 > req_extensions will put the names in a CSR (signing request) > file when running the "req" command. > > x509_extensions will put the names in the actual certificate > file when running the "x509" command. > Small correction: [req]req_extensions will put SubjectAltName (or other) in the CSR for 'req -new' but 'x509 -req' ignores extensions in the CSR. [$default_ca]x509_extensions will put in the cert (regardless of the CSR) *for 'ca' which this OP is not using*. Also for 'ca' [$default_ca]copy_extensions will put extensions from the CSR. [] OR []extensions, or -extsec, will put in the cert for 'x509 -req'. But only if -extfile explicit; it doesn't have any config by default. > On 9/1/2011 7:37 PM, Hopkins, Nathan wrote: > > > > thanks - sorry my previous post wasn't clear enough, the > > req_extensions value references the section I put the > subject. and alt > > names in... > > > > req_extensions = v3_req > > > > [ v3 req ] > > > > SubjectAltName = @alt_names > > > > Should this work? > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Becoming a CA for group of internal servers?
> From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan > Sent: Wednesday, 31 August, 2011 21:32 > I tested with below, all looks good. After running I am converting > to .der files and generating a keystore with ImportKey.java - > could this be removing what is needed? "looks good" means 'x509 -text -noout' DOES show S-A-N? If it's in the cert at all, it's within the signed part, so nothing that processes the cert can remove or modify it without invalidating the signature, which should cause (hopefully obvious) errors whenever it is used for anything. > From: owner-openssl-us...@openssl.org > Before using the cert, test it with the command: > openssl x509 -in yourcert.cer -noout -text > If the parameters were in the right place, you should see all the extra > names as > "SubjectAlternativeName" attributes in the cert. > On 8/31/2011 11:52 PM, Hopkins, Nathan wrote: > > I have also observed when viewing the certificates I am unable to see > > any references to the alt_names added, I have double checked the CA > > certificate created with below steps has been successfully added to > > Authorities and for the CN it works as expected. 'viewing the certificates' where and how? If it's in a java keystore, keytool -list -v should show all extensions including S-A-N. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Becoming a CA for group of internal servers?
Great thanks ... So I've within the openssl.cnf file there are two x509_extensions entries. First in the [ CA_default ] section... x509_extensions = usr_cert Second in the [ req ] section ... x509_extensions = v3_ca I have added the values; SubjectAltName = @alt_names [alt_names] DNS.1 = server.domain.com DNS.2 = server ... in [v3_ca] section and recreated request - is this the correct section?... openssl req -new -key server.key -out server.csr -config customopenssl.cnf and signed with self created CA... openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 Do I need to add the -config option to the bottom line? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: 01 September 2011 18:44 To: openssl-users@openssl.org Subject: Re: Becoming a CA for group of internal servers? req_extensions will put the names in a CSR (signing request) file when running the "req" command. x509_extensions will put the names in the actual certificate file when running the "x509" command. On 9/1/2011 7:37 PM, Hopkins, Nathan wrote: > > thanks - sorry my previous post wasn't clear enough, the > req_extensions value references the section I put the subject. and alt > names in... > > req_extensions = v3_req > > [ v3 req ] > > SubjectAltName = @alt_names > > Should this work? > > > - Original Message - > From: owner-openssl-us...@openssl.org > To: openssl-users@openssl.org > Sent: Thu Sep 01 18:26:42 2011 > Subject: Re: Becoming a CA for group of internal servers? > > Ah, there it is. > > The "SubjectAltName = @alt_names" line is in the wrong section of your > file. > > You need to find the line that says "x509_extensions" (There may be more > than > one, try to find the one that is used). That line contains the name of > another > section, and that other section is the one that needs to say > "SubjectAltName = @alt_names" when you are generating the multi-name > certificate. > > The mail you quote below mentions another way that does not involve > putting > the names in an openssl.cnf file, but in another file that looks almost > like an > openssl.cnf file. His example file does not contain multiple names, and > contains > some other options that you probably won't need today, making it hard to > understand. > > On 9/1/2011 7:09 PM, Hopkins, Nathan wrote: > > > > Apologies I'm not sure I follow what you mean with below; > > > > I have copied openssl.cnf to customopenssl.cnf then edited the below > > lines to allow multiple hosts…. > > > > > > req_extensions = v3_req > > > > SubjectAltName = @alt_names > > > > [alt_names] > > > > DNS.1 = server.domain.com > > > > DNS.2 = server > > > > Do I need to add more? > > > > > > > > - Original Message - > > From: owner-openssl-us...@openssl.org > > To: openssl-users@openssl.org > > Sent: Thu Sep 01 08:00:17 2011 > > Subject: Re: Becoming a CA for group of internal servers? > > > > > > you might want to read the description of the -extfile parameter of > > the x509 command > > > > an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh > > available at curl.haxx.se > > > > $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout > > $PREFIX-sv.key -out $PREFIX-sv.csr > > $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key > > $OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days > > $DURATION -CA $CAPREFIX-ca.cacert > > -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt > > -text -nameopt multiline -sha1 > > > > with a $PREFIX-sv.prm like the following > > > > extensions = x509v3 > > [ x509v3 ] > > subjectAltName = DNS:localhost > > keyUsage= keyEncipherment > > extendedKeyUsage = serverAuth > > subjectKeyIdentifier = hash > > authorityKeyIdentifier = keyid > > basicConstraints = critical,CA:false > > [ req ] > > default_bits= 1024 > > distinguished_name = req_DN > > default_md= sha256 > > string_mask= utf8only > > [ req_DN ] > > countryName = "Country Name is Northern Nowhere" > > countryName_value= NN > > organizationName = "Organization Name" > > organizationName_value = Edel Curl Arctic Illudium Research Cloud > > commonName = "Common Name" > > commonName_value = localhost > > > > [something] > > # The key > > # the certficate > > # some dhparam > > > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing Listopenssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager
Re: Becoming a CA for group of internal servers?
req_extensions will put the names in a CSR (signing request) file when running the "req" command. x509_extensions will put the names in the actual certificate file when running the "x509" command. On 9/1/2011 7:37 PM, Hopkins, Nathan wrote: thanks - sorry my previous post wasn't clear enough, the req_extensions value references the section I put the subject. and alt names in... req_extensions = v3_req [ v3 req ] SubjectAltName = @alt_names Should this work? - Original Message - From: owner-openssl-us...@openssl.org To: openssl-users@openssl.org Sent: Thu Sep 01 18:26:42 2011 Subject: Re: Becoming a CA for group of internal servers? Ah, there it is. The "SubjectAltName = @alt_names" line is in the wrong section of your file. You need to find the line that says "x509_extensions" (There may be more than one, try to find the one that is used). That line contains the name of another section, and that other section is the one that needs to say "SubjectAltName = @alt_names" when you are generating the multi-name certificate. The mail you quote below mentions another way that does not involve putting the names in an openssl.cnf file, but in another file that looks almost like an openssl.cnf file. His example file does not contain multiple names, and contains some other options that you probably won't need today, making it hard to understand. On 9/1/2011 7:09 PM, Hopkins, Nathan wrote: > > Apologies I'm not sure I follow what you mean with below; > > I have copied openssl.cnf to customopenssl.cnf then edited the below > lines to allow multiple hosts…. > > > req_extensions = v3_req > > SubjectAltName = @alt_names > > [alt_names] > > DNS.1 = server.domain.com > > DNS.2 = server > > Do I need to add more? > > > > - Original Message - > From: owner-openssl-us...@openssl.org > To: openssl-users@openssl.org > Sent: Thu Sep 01 08:00:17 2011 > Subject: Re: Becoming a CA for group of internal servers? > > > you might want to read the description of the -extfile parameter of > the x509 command > > an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh > available at curl.haxx.se > > $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout > $PREFIX-sv.key -out $PREFIX-sv.csr > $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key > $OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days > $DURATION -CA $CAPREFIX-ca.cacert > -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt > -text -nameopt multiline -sha1 > > with a $PREFIX-sv.prm like the following > > extensions = x509v3 > [ x509v3 ] > subjectAltName = DNS:localhost > keyUsage= keyEncipherment > extendedKeyUsage = serverAuth > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid > basicConstraints = critical,CA:false > [ req ] > default_bits= 1024 > distinguished_name = req_DN > default_md= sha256 > string_mask= utf8only > [ req_DN ] > countryName = "Country Name is Northern Nowhere" > countryName_value= NN > organizationName = "Organization Name" > organizationName_value = Edel Curl Arctic Illudium Research Cloud > commonName = "Common Name" > commonName_value = localhost > > [something] > # The key > # the certficate > # some dhparam > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Becoming a CA for group of internal servers?
thanks - sorry my previous post wasn't clear enough, the req_extensions value references the section I put the subject. and alt names in... req_extensions = v3_req [ v3 req ] SubjectAltName = @alt_names Should this work? - Original Message - From: owner-openssl-us...@openssl.org To: openssl-users@openssl.org Sent: Thu Sep 01 18:26:42 2011 Subject: Re: Becoming a CA for group of internal servers? Ah, there it is. The "SubjectAltName = @alt_names" line is in the wrong section of your file. You need to find the line that says "x509_extensions" (There may be more than one, try to find the one that is used). That line contains the name of another section, and that other section is the one that needs to say "SubjectAltName = @alt_names" when you are generating the multi-name certificate. The mail you quote below mentions another way that does not involve putting the names in an openssl.cnf file, but in another file that looks almost like an openssl.cnf file. His example file does not contain multiple names, and contains some other options that you probably won't need today, making it hard to understand. On 9/1/2011 7:09 PM, Hopkins, Nathan wrote: > > Apologies I'm not sure I follow what you mean with below; > > I have copied openssl.cnf to customopenssl.cnf then edited the below > lines to allow multiple hosts…. > > > req_extensions = v3_req > > SubjectAltName = @alt_names > > [alt_names] > > DNS.1 = server.domain.com > > DNS.2 = server > > Do I need to add more? > > > > - Original Message - > From: owner-openssl-us...@openssl.org > To: openssl-users@openssl.org > Sent: Thu Sep 01 08:00:17 2011 > Subject: Re: Becoming a CA for group of internal servers? > > > you might want to read the description of the -extfile parameter of > the x509 command > > an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh > available at curl.haxx.se > > $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout > $PREFIX-sv.key -out $PREFIX-sv.csr > $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key > $OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days > $DURATION -CA $CAPREFIX-ca.cacert > -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt > -text -nameopt multiline -sha1 > > with a $PREFIX-sv.prm like the following > > extensions = x509v3 > [ x509v3 ] > subjectAltName = DNS:localhost > keyUsage= keyEncipherment > extendedKeyUsage = serverAuth > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid > basicConstraints = critical,CA:false > [ req ] > default_bits= 1024 > distinguished_name = req_DN > default_md= sha256 > string_mask= utf8only > [ req_DN ] > countryName = "Country Name is Northern Nowhere" > countryName_value= NN > organizationName = "Organization Name" > organizationName_value = Edel Curl Arctic Illudium Research Cloud > commonName = "Common Name" > commonName_value = localhost > > [something] > # The key > # the certficate > # some dhparam > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Becoming a CA for group of internal servers?
Ah, there it is. The "SubjectAltName = @alt_names" line is in the wrong section of your file. You need to find the line that says "x509_extensions" (There may be more than one, try to find the one that is used). That line contains the name of another section, and that other section is the one that needs to say "SubjectAltName = @alt_names" when you are generating the multi-name certificate. The mail you quote below mentions another way that does not involve putting the names in an openssl.cnf file, but in another file that looks almost like an openssl.cnf file. His example file does not contain multiple names, and contains some other options that you probably won't need today, making it hard to understand. On 9/1/2011 7:09 PM, Hopkins, Nathan wrote: Apologies I'm not sure I follow what you mean with below; I have copied openssl.cnf to customopenssl.cnf then edited the below lines to allow multiple hosts…. req_extensions = v3_req SubjectAltName = @alt_names [alt_names] DNS.1 = server.domain.com DNS.2 = server Do I need to add more? - Original Message - From: owner-openssl-us...@openssl.org To: openssl-users@openssl.org Sent: Thu Sep 01 08:00:17 2011 Subject: Re: Becoming a CA for group of internal servers? you might want to read the description of the -extfile parameter of the x509 command an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh available at curl.haxx.se $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-sv.key -out $PREFIX-sv.csr $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key $OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days $DURATION -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt -text -nameopt multiline -sha1 with a $PREFIX-sv.prm like the following extensions = x509v3 [ x509v3 ] subjectAltName = DNS:localhost keyUsage= keyEncipherment extendedKeyUsage = serverAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid basicConstraints = critical,CA:false [ req ] default_bits= 1024 distinguished_name = req_DN default_md= sha256 string_mask= utf8only [ req_DN ] countryName = "Country Name is Northern Nowhere" countryName_value= NN organizationName = "Organization Name" organizationName_value = Edel Curl Arctic Illudium Research Cloud commonName = "Common Name" commonName_value = localhost [something] # The key # the certficate # some dhparam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Becoming a CA for group of internal servers?
Apologies I'm not sure I follow what you mean with below; I have copied openssl.cnf to customopenssl.cnf then edited the below lines to allow multiple hosts…. req_extensions = v3_req SubjectAltName = @alt_names [alt_names] DNS.1 = server.domain.com DNS.2 = server Do I need to add more? - Original Message - From: owner-openssl-us...@openssl.org To: openssl-users@openssl.org Sent: Thu Sep 01 08:00:17 2011 Subject: Re: Becoming a CA for group of internal servers? you might want to read the description of the -extfile parameter of the x509 command an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh available at curl.haxx.se $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-sv.key -out $PREFIX-sv.csr $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key $OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days $DURATION -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt -text -nameopt multiline -sha1 with a $PREFIX-sv.prm like the following extensions = x509v3 [ x509v3 ] subjectAltName = DNS:localhost keyUsage= keyEncipherment extendedKeyUsage = serverAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid basicConstraints = critical,CA:false [ req ] default_bits= 1024 distinguished_name = req_DN default_md= sha256 string_mask= utf8only [ req_DN ] countryName = "Country Name is Northern Nowhere" countryName_value= NN organizationName = "Organization Name" organizationName_value = Edel Curl Arctic Illudium Research Cloud commonName = "Common Name" commonName_value = localhost [something] # The key # the certficate # some dhparam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Becoming a CA for group of internal servers?
you might want to read the description of the -extfile parameter of the x509 command an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh available at curl.haxx.se $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-sv.key -out $PREFIX-sv.csr $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key $OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days $DURATION -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt -text -nameopt multiline -sha1 with a $PREFIX-sv.prm like the following extensions = x509v3 [ x509v3 ] subjectAltName = DNS:localhost keyUsage= keyEncipherment extendedKeyUsage = serverAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid basicConstraints = critical,CA:false [ req ] default_bits= 1024 distinguished_name = req_DN default_md= sha256 string_mask= utf8only [ req_DN ] countryName = "Country Name is Northern Nowhere" countryName_value= NN organizationName = "Organization Name" organizationName_value = Edel Curl Arctic Illudium Research Cloud commonName = "Common Name" commonName_value = localhost [something] # The key # the certficate # some dhparam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org