How to properly sign a certificate with multiple domain names?

B

borodka_lenina2015-11-26 15:46:15

OpenSSL

borodka_lenina, 2015-11-26 15:46:15

I recently asked a similar question and seemed to have found a solution. But I made a mistake (
I'm trying to create a certificate signed by root. If I create it according to the scheme: key -> csr -> then the certificate itself with the signature rootCA.crt, then everything is fine and the certificate is signed by root ..
If I try to use the config file with the subjectAltName option, then the certificate is created, but it doesn't sign as root.I do it like this:
openssl req -x509 -nodes -newkey rsa:2048 -days 9999 -keyout key.key -out cert.crt -config conf.ini config
contents:

[CA_default ]
# Directory and file locations.
dir             = /root/ssl/work
private_key     = $dir/certs/rootCA.key
certificate     = $dir/certs/rootCA.crt
policy          = policy_loose
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = RU
ST = Moscow
L = Moscow
O = name
OU = 
CN = name
emailAddress = name
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = dnsname1
DNS.2 = dnsname2
DNS.3 = dnsname3
DNS.4 = dnsname4
DNS.5 = dnsname5

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

B

borodka_lenina, 2015-11-30
@borodka_lenina

It turns out that the -config option does not add the v3_req extension to the certificate, you must explicitly specify extensions in which additional domains are described, otherwise they will be ignored. That is, first we create a request using the -config option
And then we create the certificate itself with a signature, specifying the file with extensions:

openssl x509 -req -in test.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out test.crt -days 9999 -extfile conf.ini -extensions v3_req