Adding Subject Alternate Names (SAN) to an existing Cert Signing Request (CSR)
Solution 1
If your chassis doesn't support adding SANs, you'll need to get the key off the chassis and generate the CSR with openssl.
Make sure req_extensions = v3_req is uncommented in the [ req ] section.
Add the subjectAltName to the [ v3_req ] section.
Generate a new CSR.
openssl req -new -key extracted_c7000.key -out your_new.csr
You cannot edit an existing CSR.
Solution 2
While cakemox's answer is definitely the easiest if you can somehow get a copy of the private key, there's another way if you can't by basically re-signing the CSR using an "Enrollment Agent" certificate.
This blog post has all of the nitty gritty details. But the high level overview of the process looks like this:
- Acquire an Enrollment Agent Certificate
- Modify an SSL certificate template to require an EA certificate for issuance
- Acquire a CSR that needs SAN Information
- Use the EA certificate to resign the CSR while adding the SAN information
When I tried this personally, I'm pretty sure I skipped the part about modifying the certificate template. Presuming you can generate an Enrollment Agent cert for yourself, the actual process looks something like this.
Create a san.inf with the SAN extension info in it
[Extensions]
2.5.29.17="{text}dns=mysan1.example&dns=mysan2.example"
Re-sign the request
certreq -policy -config "myca.example\CA" orig-request.csr san.inf corrected-request.csr
Submit the corrected request
certreq -submit -config "myca.example\CA" -attrib "CertificateTemplate:MyTemplate" corrected-request.csr
And then proceed as normal with the issuance process.
Related videos on Youtube
03 : 11
09 : 55
15 : 24
02 : 55
03 : 13
Secoe
Updated on September 18, 2022Comments
-
Secoe almost 2 years
Can any one tell me how I an add a number of Subject Alternate Names to an existing CSR?
I'm not talking about generating a CSR with SANs or adding SANs at signing time - I know how to do both of these things.
Background: The problem we have is that HP blade chassis, allow you to generate CSRs, but they only allow a single SAN. We can't use a CSR generated elsewhere as we could not use the resultant cert as there is no way (that I can find) to upload the key to the blade chassis.
Our CA's standard process does not allow for adding SANs are signing time. They are willing to experiment, however I am trying to find a solution at our end as this will mean we won't have to rely on them having a non standard process for us - in my experience if they need to use a non standard process life will eventually get difficult. E.g. when a staff member who knows the non standard process is not present due to leave etc.
Current method is to connect to the bladechassis onboard admin via the web gui and generate the CSR with a single CN.
The web gui only allows for a single SAN in the CSR.
Then we self sign it with the following stanza in the openssl config:
[ v3_ca ] subjectAltName = "DNS:bladesystem8,DNS:bladesystem8.services.adelaide.edu.au,DNS:bladesystem8-backup,DNS:bladesystem8-backup.services.adelaide.edu.au"The resultant cert has the extra SANs.
-
Admin about 13 yearsHow are you generating the certs on the blade chassis currently? What method are you using to connect etc.. what model blade chassis? -
Admin about 13 yearsWhat method are you using to connect to it currently and what is your process for generating certs for it?
-
Admin about 13 yearsI've edited the main question to include the current method.
-
Admin about 13 yearsAs far as I know it is not possible to download the key. I'm happy to pay the bounty to anyone who can tell me how to download a key from a HPc7000 and Virtual Connect Manager, in such a manner that it is possibly to use the key to generate a CSR and then use the resultant cert after the CSR is signed on the c7000 and VC module.
-
Admin about 13 yearsCan you import the Cert & Private Key if you generate it on another machine and export it?
-
-
MadHatter about 13 yearsWhat cakemox said. If you could edit a certificate (that is, a signed CSR) after it had been signed, it would defeat the whole purpose of certificating authorities.
-
Secoe about 13 yearsI don't want to edit the CSR after it is signed - that would as you say defeat the puprose. I want to edit the CSR after it is generated, but BEFORE it is signed. It is definately possible to edit parts of a CSR before signing using openssl.
-
Secoe about 13 yearsIf I could download the key, I would. Sorry I didn't mention that in the original question, but I have not been able to find away to download the key. I'd be just as happy to pay the bounty to someone who could tell me how to download the key.
-
Secoe about 13 yearsFYI - It is definately possible to edit parts of a CSR before signing using openssl in particular the "openssl req -subj" option. This won't however as far as I can tell add the v3 SAN extension, it will just allow you to specify a new subject line including additional CNs.
-
Philip about 13 yearsThe CSR is signed by the private key of the machine, so you can't edit it after it's been generated (or else it would fail to be signed anymore). It is possible that the CA edits the fields put in the public cert however; this is the only way to change the SAN field (which you have no control over if you're sending this to a public CA). -
BMDan about 13 yearsOn further research, option #2 is actually quite simple, too, and done by a number of CA's (e.g. to addsite.comto awww.site.comcert as a SAN). -
Admin about 2 yearsThe seems like the real answer to the OP question. It does work, although it also says "Searching for private key..." on the -policy command and pops up some extra garbage, but hitting cancel works. Is there a way to do this in openssl/not windows without @Cakemox's blow it away method?
-
Admin about 2 yearsIt seems like there should be a way to do it with openssl, but I have no clue how.
