¿Por qué no aparece SubjectAltName en mi CSR?

3

¿El CSR generado contiene el SubjectAltName ? He configurado el archivo openssl.cnf para admitir extensiones y cuando vuelco el CSR puedo ver que el sujeto está disponible, no el SubjectAltName

Así es como se genera la CSR:

openssl req -new -sha256 -key ./private.key  -out ./cert.csr -config ./openssl.cnf 

y para ver información del CSR que utilicé:

openssl req -noout -text -in  cert.csr 

La salida es

bash:/home/ubuntu# openssl req -noout -text -in  cert.csr 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=sd, ST=sd, O=Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:ae:6f:5d:75:f6:7a:af:2f:af:2b:39:dc:f7:b6:
                    d0:61:3d:49:f7:50:a2:a6:d1:99:d8:ce:a6:24:87:
                    1f:4e:ad:02:58:c9:34:12:78:22:f3:99:29:69:c6:
                    66:78:06:4e:bc:f6:e1:f6:f6:bb:f6:52:97:a4:14:
                    d7:9d:51:03:07:20:5d:10:88:35:db:32:7a:14:9c:
                    ea:e3:55:02:7a:20:bc:3c:24:c5:db:e8:82:12:c5:
                    16:78:cb:fa:0f:79:02:30:f3:23:c1:6b:55:e1:c7:
                    06:78:30:ac:4c:63:6e:74:5d:28:58:69:20:92:90:
                    a2:3c:d3:ad:20:c5:64:e3:22:4c:8a:e0:ad:04:60:
                    2d:c0:3f:d9:05:84:9b:53:1f:17:ac:9e:49:48:68:
                    08:c6:1d:c5:fe:df:28:64:b1:6d:15:f1:90:c0:4f:
                    fe:52:c1:8e:2f:d6:20:81:84:db:ed:43:6b:a7:8c:
                    37:58:a1:7a:fb:a9:4a:80:be:f0:27:d4:4b:13:ac:
                    56:74:6e:5d:0d:a0:09:8d:96:89:92:8f:b0:af:07:
                    d8:92:6b:ea:09:15:f6:0c:68:24:30:33:7f:a3:d9:
                    e6:45:1b:95:aa:79:63:29:60:b2:2b:19:ed:ee:aa:
                    c7:5f:ce:eb:3c:62:1d:79:6a:20:ec:16:38:3b:d4:
                    06:04:db:7c:16:da:1b:cb:5c:67:ff:10:69:03:3e:
                    cd:ee:94:50:45:f4:5c:bb:3b:61:41:fb:00:56:18:
                    8c:76:09:37:b0:40:53:85:12:8e:36:a9:58:0f:4d:
                    72:82:a4:79:85:27:2f:36:1e:21:53:ba:f4:23:75:
                    f1:f6:8b:24:30:d2:e7:47:77:f3:82:6c:73:8d:d4:
                    d4:ad:af:91:a7:4d:e5:66:38:6c:e1:d1:5f:cb:b8:
                    59:7f:26:49:80:8f:2f:f6:24:02:4d:92:b3:e4:bd:
                    ef:e7:69:02:7c:a5:cf:cc:39:ca:c8:42:6c:5f:3e:
                    77:9c:c1:9a:7b:e4:61:8c:20:eb
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         0c:ef:3a:db:29:88:f6:c0:ce:f2:67:ba:61:35:3e:5f:6a:5a:
         2b:85:5f:e1:48:60:60:cb:96:77:8d:30:3b:fe:34:02:4c:04:
         78:a0:d3:ec:df:6e:43:02:92:ae:5c:6f:3c:60:fa:b7:36:d7:
         bc:d2:4b:1b:5d:61:67:d1:09:3d:6c:ee:56:81:cd:14:be:c9:
         33:b9:32:c7:eb:1d:59:f6:5c:98:6c:ae:92:27:94:15:d1:74:
         0e:55:8f:2f:9c:6e:9f:85:80:c7:b6:d7:5b:a1:41:82:f4:a8:
         73:08:de:45:5f:76:23:60:71:81:f4:ed:e0:cf:f1:14:d4:1c:
         a6:c5:f9:a4:b6:e5:d6:01:01:7c:6a:3d:aa:a2:87:25:7c:c5:
         e2:d2:0a:12:83:33:65:71:dd:43:7e:35:50:f9:99:77:72:8c:
         56:5a:d7:37:cb:a1:ea:87:a9:5f:a9:9d:c7:ae:35:59:85:02:
         3e:bd:ae:5e:c7:7a:95:31:bf:b2:0d:c8:0c:d9:45:6e:29:02:
         2a:6b:cd:5e:73:b9:31:7a:3e:95:c1:28:f7:0b:f5:26:36:eb:
         f4:ac:cc:1d:ef:01:ee:fd:a1:8b:eb:bc:f4:46:9d:42:1e:6f:
         81:2f:7a:fc:90:9e:20:24:c1:79:e9:85:04:cb:23:f4:8a:8e:
         70:33:48:50:dd:0a:30:00:bf:71:7e:15:31:23:dc:a7:b2:92:
         dd:37:d9:83:b5:1b:3c:84:17:ce:49:17:04:2b:6d:0a:7c:51:
         fa:e8:d6:97:a8:c1:96:6c:eb:c6:f1:2f:69:27:b8:c2:75:fc:
         f7:5b:d2:b8:bf:e6:d9:da:6d:3f:de:da:27:46:4d:3f:6a:b0:
         f8:b9:1a:cf:3c:29:67:7f:c4:be:bd:c1:37:db:cd:ae:d5:27:
         d3:2d:bc:71:ed:f1:d6:b5:bd:9b:ef:8b:08:c4:d2:c4:ef:ca:
         61:d2:c0:19:04:26:07:02:d3:39:56:57:05:48:a9:3d:d9:40:
         f6:2f:67:df:dd:55

Mi archivo openssl.cnf alt_names habilitado:

HOME                    = .
RANDFILE                = $ENV::HOME/.rnd
oid_section             = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca      = CA_default
[ CA_default ]

dir             = ./demoCA              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
copy_extensions = copy
default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = default               # use public key default MD
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = AU
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Some-State
localityName                    = Locality Name (eg, city)

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Internet Widgits Pty Ltd

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64

# SET-ex3                       = SET extension number 3

[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20
unstructuredName                = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectAltName      = @alternate_names
keyUsage = digitalSignature, keyEncipherment
subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]

default_tsa = tsa_config1       # the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir             = ./demoCA              # TSA root directory
serial          = $dir/tsaserial        # The current serial number (mandatory)
crypto_device   = builtin               # OpenSSL engine to use for signing
signer_cert     = $dir/tsacert.pem      # The TSA signing certificate
                                        # (optional)
certs           = $dir/cacert.pem       # Certificate chain to include in reply
                                        # (optional)
signer_key      = $dir/private/tsakey.pem # The TSA private key (optional)

default_policy  = tsa_policy1           # Policy if request did not specify it
                                        # (optional)
other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)
digests         = md5, sha1             # Acceptable message digests (mandatory)
accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)
accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)
clock_precision_digits  = 0     # number of digits after dot. (optional)
ordering                = yes   # Is ordering defined for timestamps?
                                # (optional, default: no)
tsa_name                = yes   # Must the TSA name be included in the reply?
                                # (optional, default: no)
ess_cert_id_chain       = no    # Must the ESS cert id chain be included?
                                # (optional, default: no)
[ alternate_names ]
DNS.1        = test.xyz.com
    
pregunta anish 19.01.2016 - 13:46
fuente

1 respuesta

3

Como lo indica @StackzOfZtuff, el problema es que no le está diciendo a openSSL que incluya SAN en su CSR.

Puede encontrar una guía para hacerlo aquí , y básicamente sugiere hacer:

[ req ]
default_bits        = 1024
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
req_extensions     = req_ext # The extentions to add to the self signed cert
<...snip....>

[ req_ext ]
subjectAltName          = @alt_names

[alt_names]
DNS.1   = test.domain.com
DNS.2   = other.domain.com
DNS.3   = www.domain.net

Pones eso (y la información req_distinguished_name apropiada) en un archivo req.conf, luego ejecutas openssl req -new -nodes -out myreq.csr -config req.conf .

Los aspectos clave para hacer este trabajo son:

  • openSSL usa la sección [req] al generar un CSR
  • la sección [req] proporciona algunos req_extensions , que incluyen un campo SAN.

Sin embargo, solo necesita SAN en su CSR si su CA realmente los respeta, lo cual no es tan común como AFAIK (pero es posible que no sepa mucho).

    
respondido por el iwaseatenbyagrue 26.03.2017 - 16:06
fuente

Lea otras preguntas en las etiquetas