OpenSSL: how to generate a CSR with interactively solicited Subject Alternative Names (SANs)?

ssl ssl-certificate openssl certificate

11,371

Solution 1

I'm also looking for a solution. And this is, what you want:

[req]
default_bits      = 2048
default_key_file  = private.key.pem
...
...
attributes        = req_attributes

[req_attributes]
subjectAltName = Alternative DNS names, Email adresses or IPs (comma seperated list)
#optional default value
subjectAltName_default = DNS:myhost.com.au,IP:127.0.0.1,EMAIL:[email protected]

And you can get this by prompt for alternative subject name(s) :)

#openssl req -in mytest1/temp.csr.pem -noout -text
    Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=DE, ST=Sachsen, L=Heidenau, O=IT Rab\xC3\xB6se, OU=ssl
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:d8:cd:14:ca:d0:06:6c:8c:11:e9:52:bc:46:39:
                    c1:cf:5a:6e:dd:3b:a8:85:15:6b:13:82:82:4a:48:
                    cb:53:ea:70:ea:f4:02:b2:ef:b1:41:b2:d7:11:c7:
                    11:ba:07:1b:be:8c:30:bc:60:d2:82:83:a1:e1:19:
                    75:3b:69:03:01:3c:2b:7b:85:f4:2e:a9:58:68:8f:
                    0e:f4:5e:50:e1:3f:9e:cf:46:a0:eb:69:aa:1e:cb:
                    3a:99:cb:1d:93:60:d0:3b:38:96:87:45:19:51:f4:
                    40:72:e5:a7:5e:62:37:41:44:48:64:47:95:14:97:
                    4f:27:d0:0c:e7:6f:c1:e1:37
                Exponent: 65537 (0x10001)
        Attributes:
            X509v3 Subject Alternative Name:DNS:www.google.de,EMAIL:[email protected]
    Signature Algorithm: sha1WithRSAEncryption
        9d:2b:e4:eb:1b:c0:b6:0b:b4:62:a7:4d:01:68:98:68:36:98:
        1e:e9:bc:59:24:0f:1b:32:7b:da:9d:39:a4:0f:2c:70:3e:aa:
        f7:07:e7:6b:9b:3b:00:b3:71:e0:54:07:78:c7:6e:57:e3:89:
        07:e1:93:f1:77:e7:cc:0e:d0:ed:c5:d0:a3:5d:1a:cd:bb:d8:
        5f:64:25:81:1b:a8:2f:ef:c7:84:7a:f6:b8:52:4e:4c:1c:8d:
        83:b7:9b:02:8e:b2:39:68:a1:fe:f1:59:8b:e0:c4:91:f1:a9:
        c7:b3:82:a3:d2:92:2b:e5:79:9f:29:b6:63:e7:cf:9d:17:98:
        fe:70

Solution 2

I've battled with this little nugget myself ... what a PITA!

My solution: I moved the all of openssl.cnf file into a Template Toolkit file leaving only the sans piece as the replacement piece, then wrapped a perl script around it.

The perl script prompts for the SANs entries, then inserts them into the template, saves the template to a temp file and then I call openssl req with the -config option pointed at the temp file. discard the temp file after the CSR is generated.

You also might want to look at: http://www.openssl.org/docs/apps/config.html

There are others who override $ENV just prior to execution and wrap the call to openssl req in perl or shell and accomplish the same thing in a slightly more efficient manner: http://blog.loftninjas.org/2008/11/11/configuring-ssl-requests-with-subjectaltname-with-openssl/

Solution 3

This "subjectAltName" should not be in this section: attributes = req_attributes. But in a section for req_extensions = (call it whatever you want).

And no need for all the BS like

subjectAltName           = Alternative subject names
subjectAltName_default   = DNS:www.g00gle.com

Just type in what you want, how many you want:

subjectAltName = DNS:*.g00gle.com, DNS:g00gle.com, DNS:192.168.1.2

(The last one makes internal access like "https://192.168.1.2" without warning)

So something like:

[ req ]
req_extensions     = my_extensions

[my_extensions]
subjectAltName     = DNS:*.g00gle.com, DNS:g00gle.com, DNS:192.168.1.2

Cheers!

11,371

Maxy-B

Updated on September 18, 2022

Comments

Maxy-B over 1 year

I wish to configure OpenSSL such that when running openssl req -new to generate a new certificate signing request, I am prompted for any alternative subject names to include on the CSR.

I have added this line to the [req_attributes] section of my openssl.cnf:

subjectAltName                  = Alternative subject names

This has the desired effect that I am now prompted for SANs when generating a CSR:

$ openssl req -new -out test.csr -key ./test.key                            <<<
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [New York]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Example Co]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:test.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Alternative subject names []:DNS:alt1.example.com

In the above example, I have entered DNS:alt1.example.com when prompted for the SANs.

The problem is that the resulting CSR does not appear to be well formatted:

$ openssl req -text -in ./test.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=New York, O=The Banes, CN=test.thebanes.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    [...]
                Exponent: 65537 (0x10001)
        Attributes:
            X509v3 Subject Alternative Name:unable to print attribute

OpenSSL complains that it is unable to print the value of the Subject Alternative Name attribute. From examples online (where people hard-code the SANs into their openssl.cnf, rather than prompting for them interactively as I want), I expect to see this instead:

        Attributes:
            X509v3 Subject Alternative Name:
                DNS:alt1.example.com

So, how can I generate a well-formed CSR with interactively prompted SANs?

Greg Dubicki over 8 years

The $ENV solution didn't work for me. :(
Greg Dubicki over 8 years

This is NOT what OP asked for - he wanted an interactive solution.
Jess over 6 years

This works when looking at the CSR, but when I create a certificate, it doesn't keep the SAN.
raiserle over 6 years

If the format correct for SAN? Comma separated list. Check with SAN-prefix DNS only, if not not supported IP, EMAIL. Example: INPUT >> DNS:my.dns.com, DNS:my.otherdns.org
raiserle over 6 years

Ok. This is normal function of openssl wtf! You must also provide the SAN to the CA-command as -extensions <string>, or -extfile <file>. mta.openssl.org/pipermail/openssl-users/2016-January/…
dave_thompson_085 about 3 years

That text was once true but is now obsolete; 1.1.1 (in 2018, well after this Q) added a commandline option -addext and the page you link actually shows an example of -addext subjectAltName. Even in lower versions, 'static' is arguable; on Unix (which OP here didn't indicate) with some shells you can create a named temporary file on the commandline using <(...) which OpenSSL accepts; see serverfault.com/questions/845766 or security.stackexchange.com/questions/74345
johnsoga about 3 years

Definitely not obsolete as it links the current man page. Given the OP's example they are looking to have the SAN entries prompted for like the other DN values from the req command which is not possible per the docs admission as I provided. Your example is based on passing CLI arguments which is not interactive OP requested and your links reference the same behavior. Redirecting shell input from a file as you showed does not meaningfully help. If you want to write a wrapper script then sure its possible that way but otherwise OP's request is not possible per provided docs admission