There are very good how-tos on creating an openssl configuration file with the necessary subject alternative name extensions. Copy the entire "openssl.cfg" and save it as as "subaltname.cfg" and add the following lines in the "rec" and "v3_req" sections:
Generating the certificate signing request (CSR) requires using the command line option "-config [filename]".
Your feedback is needed! If this post was helpful, incorrect or could be better, please comment below.
Also see these other SSL related posts:
SSL Management Tasks
SSL Management Tasks Revisited
Retrieve SSL certificates
[ req ]NOTE: Extended Key Usage is not required, but is included as many applications using Subject Alternative Names use the generated SSL certificates for both purposes.
req_extensions = v3_req
[ v3_req ]
subjectAltName = DNS:srv.example.com; IP:172.16.0.10
extendedKeyUsage = serverAuth, clientAuth
Generating the certificate signing request (CSR) requires using the command line option "-config [filename]".
# openssl req -new -newkey rsa:2048 -sha256 \
-nodes -out rui.csr -keyout rui.key \
-config subaltname.cfgVerify the CSR contains the X509v3 Subject Alternative Name.
# openssl req -in rui.csr -noout -textLikewise certificate generation requires using the command line option(s) too. However they are not the same options; use "-extfile [filename] -extensions v3_req" instead.
[...]
X509v3 Subject Alternative Name:
DNS:srv.example.com, IP Address:172.16.0.10
[...]
# openssl x509 -req -CA ca.crt -CAkey ca.key \
-set_serial 01 -days 2880 -in srv.csr -out srv.crt \
-extfile subaltname.cfg -extensions v3_reqAgain verify the certificate contains the X509v3 Subject Alternative Name.
# openssl x509 -in rui.crt -text -noout
[...]
X509v3 Subject Alternative Name:
DNS:srv.example.com, IP Address:172.16.0.10
[...]
Your feedback is needed! If this post was helpful, incorrect or could be better, please comment below.
Also see these other SSL related posts:
SSL Management Tasks
SSL Management Tasks Revisited
Retrieve SSL certificates
Comments
Cheers!