{"id":1285,"date":"2017-06-29T09:32:43","date_gmt":"2017-06-29T14:32:43","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=1285"},"modified":"2017-06-29T12:51:58","modified_gmt":"2017-06-29T17:51:58","slug":"san-certificates-from-openssl-ca","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=1285","title":{"rendered":"SAN Certificates From OpenSSL CA"},"content":{"rendered":"<p>For some reason, I had to combine three different sets of instructions to get a SAN added to my certificate. Getting the SAN into the\u00a0<em>request<\/em> was easy enough &#8230; but actually carrying the extension through to the signed certificate was a significant challenge. There may be unnecessary changes in my custom config file, but this process\u00a0<em>worked.\u00a0<\/em><\/p>\n<p>cp \/etc\/pki\/tls\/openssl.cnf .\/myssl.cnf<\/p>\n<p>Edit the copied file (i.e. don&#8217;t change your OpenSSL default config)<br \/>\n# Uncomment:<br \/>\ncopy_extensions = copy<br \/>\n# Uncomment:<br \/>\nreq_extensions = v3_req # The extensions to add to a certificate request<\/p>\n<p>&nbsp;<\/p>\n<p># Add:<br \/>\n[ req_ext ]<br \/>\nsubjectAltName = @alt_names<\/p>\n<p>[ alt_names ]<br \/>\nDNS.1 = exchange01.rushworth.us<br \/>\nDNS.2 = exchange01<\/p>\n<p>&nbsp;<\/p>\n<p>Save the file and we&#8217;re ready to create a certificate. Make a key<\/p>\n<p>openssl genrsa -aes256 -out exchange01.rushworth.us.key 2048<\/p>\n<p>Then create the cert request using the copied config file. Include the -reqexts option with value of the section of your custom file that includes subjectAltName (e.g. it is called req_ext in my cnf file, so I used -reqexts req_ext)<br \/>\nopenssl req -new -key exchange01.rushworth.us.key -config .\/myssl.cnf -reqexts req_ext -out exchange01.rushworth.us.csr<\/p>\n<p>Sign the request against your CA &#8211; again using the custom config file and req_ext extensions<br \/>\nopenssl x509 -req -in exchange01.rushworth.us.csr -extensions req_ext -extfile .\/myssl.cnf -out exchange01.rushworth.us.cer -days 365 -CA \/ca\/ca.cer -CAkey \/ca\/ca.key -sha256<\/p>\n<p>Before doing anything else, verify that your SAN values are in the certificate<\/p>\n<p>[lisa@linux02]# openssl x509 -in exchange01.rushworth.us.cer -text | grep -A1 Alternative<br \/>\nX509v3 Subject Alternative Name:<br \/>\nDNS:exchange01.rushworth.us, DNS:exchange01<\/p>\n<p>If you are using the certificate in something that understands PEM nodes, you are set. If you are trying to get a certificate for a Windows server, create a PFX export of the public\/private key pair and then import the PFX to your computer&#8217;s personal certificate store.<\/p>\n<p>openssl pkcs12 -export -out exchange01.rushworth.us.pfx -inkey exchange01.rushworth.us.key -in exchange01.rushworth.us.cer<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For some reason, I had to combine three different sets of instructions to get a SAN added to my certificate. Getting the SAN into the\u00a0request was easy enough &#8230; but actually carrying the extension through to the signed certificate was a significant challenge. There may be unnecessary changes in my custom config file, but this &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[234,208,209],"class_list":["post-1285","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-openssl","tag-san","tag-subject-alternative-name"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1285"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1285\/revisions"}],"predecessor-version":[{"id":1286,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1285\/revisions\/1286"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}