Answer the question
In order to leave comments, you need to log in
How to properly sign a certificate with multiple domain names?
I recently asked a similar question and seemed to have found a solution. But I made a mistake (
I'm trying to create a certificate signed by root. If I create it according to the scheme: key -> csr -> then the certificate itself with the signature rootCA.crt, then everything is fine and the certificate is signed by root ..
If I try to use the config file with the subjectAltName option, then the certificate is created, but it doesn't sign as root.I do it like this:
openssl req -x509 -nodes -newkey rsa:2048 -days 9999 -keyout key.key -out cert.crt -config conf.ini config
contents:
[CA_default ]
# Directory and file locations.
dir = /root/ssl/work
private_key = $dir/certs/rootCA.key
certificate = $dir/certs/rootCA.crt
policy = policy_loose
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = RU
ST = Moscow
L = Moscow
O = name
OU =
CN = name
emailAddress = name
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = dnsname1
DNS.2 = dnsname2
DNS.3 = dnsname3
DNS.4 = dnsname4
DNS.5 = dnsname5
Answer the question
In order to leave comments, you need to log in
It turns out that the -config option does not add the v3_req extension to the certificate, you must explicitly specify extensions in which additional domains are described, otherwise they will be ignored. That is, first we create a request using the -config option
And then we create the certificate itself with a signature, specifying the file with extensions:
openssl x509 -req -in test.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out test.crt -days 9999 -extfile conf.ini -extensions v3_req
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question