Subject Alternative Name not present in certificate

Signing a CSR with alt names is described here well: https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html#creating-certificates-valid-for-multiple-hostnames

In short words, you create a something.ext file containing just the alt names:

subjectAltName = DNS:*.my.alt.dns, DNS:my.alt.dns

and then refer to this file in openssl x509 -req ... command: -extfile something.ext. Note that it happens when signing the CSR, not when preparing it.


For everybody, who doesn´t like to edit the system-wide openssl.conf, there´s a native openssl CLI option for adding the SANs to the .crt from a .csr. All you have to use is openssl´s -extfile and -extensions CLI parameters.

Here´s an example:

openssl x509 -req -days 3650 -in alice.csr -signkey aliceprivate.key -out alice.crt -extfile alice-csr.conf -extensions v3_req

This requires a alice-csr.conf file, which looks like this (fill in your appropriate data) and which was used to generate the .csr with the command openssl req -new -key aliceprivate.key -out alice.csr -config alice-csr.conf:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = DE
ST = Thuringia
L = Erfurt
O = Alice Corp
OU = Team Foo
CN = server-alice

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = server-alice
DNS.2 = localhost

Keep in mind, that the -extensions v3_req option corresponds to the [v3_req] section in the file alice-csr.conf, where you define you Subject Alternative Names aka the domains, which you want to issue your certificate to.

As I always appreciate fully comprehensible examples, where one could reproduce every step, I created an example project featuring Spring Boot microservices: https://github.com/jonashackt/spring-boot-rest-clientcertificates-docker-compose


You can use:

copy_extensions = copy

under your CA_default section in your openssl.cnf.

but only when you're sure that you can trust the extensions in the CSR as pointed out in this thread: http://openssl.6102.n7.nabble.com/subjectAltName-removed-from-CSR-when-signing-td26928.html

See also: How can I generate a self-signed certificate with SubjectAltName using OpenSSL?

Tags:

Ssl

Openssl

Ssl Certificate

Recent Posts