Generating a CSR specifying SANs
Generate a Certificate Signing Request (CSR) Including Alt Names (SANs)
| IncludeCertGenerateCSRAltNames |
The method originally shown here was unreliable. It perhaps always was a red-herring, actually. It was based on the notion that using command-line options to specify certificate contents was a good idea. In fact, it would have always been better to learn how to edit and use an appropriate openssl.cnf type file. I will be learning to use such a .cnf file and hope to post details as a better alternative to this method. |
- BLUE is text you type literally
- RED is text you must modify before typing
In 2015, it seemed that if you wanted to ask for additional Subject Alternative Names (SANs) in your submission to GlobalSign, your CSR needed to contain matching information.
This method used here was taken directly from
http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html
Interesting enough, the blogger has replaced his method which I used here, creating a new version to show how to use a .cnf file instead. |
| Observations regarding CSR and SANs - SAN list in CSR must match old certificate exactly, including ordering - SAN list entered in text box must match that, but minus the CN name - That is, CSR and Certificate contain an extra SAN not in text box - And you cannot change SANs as a side-effect while renewing |
The openssl command tends to be on a normal user path, and has
subcommands useful for examining and working with SSL certificates
and their components.
For example, you can use the openssl command to give you a
more readable (well, detailed) version of the CSR.
root@www152# openssl req -text < test1.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Waterloo, O=University of Waterloo, CN=cs.uwaterloo.ca/subjectAltName=DNS.1=www.cs.uwaterloo.ca,DNS.2=cs.uwaterloo.ca,DNS.3=www.scg.uwaterloo.ca,DNS.4=scg.uwaterloo.ca,DNS.5=odyssey.uwaterloo.ca,DNS.6=crysp.uwaterloo.ca,DNS.7=ripple.uwaterloo.ca,DNS.8=wwwtest.cs.uwaterloo.ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d9:bb:01:33:73:fa:a5:03:e8:ee:51:eb:13:80:
80:ee:79:38:3e:8f:b5:35:0a:d3:f0:e8:19:f7:63:
6d:89:83:dd:0f:8e:6e:6a:d1:31:81:e9:76:71:cf:
d1:66:81:f3:1f:65:e6:eb:31:9f:86:e3:1d:99:75:
51:5f:e3:04:12:5a:57:bf:45:50:43:65:eb:85:3c:
a7:d7:b1:94:d6:42:ad:57:12:dd:8b:2b:f5:c8:c2:
bc:aa:3a:6a:4a:75:4c:70:dd:3d:09:f3:2f:96:97:
5e:62:e2:80:10:0e:0b:3b:30:2a:5a:86:1c:a3:7f:
b8:41:7f:bd:25:e6:2d:f7:1d:3c:16:1e:4d:b8:c3:
38:71:e1:8d:0f:3d:11:09:db:0e:6e:98:35:83:fe:
d2:b4:a2:76:e1:fb:71:51:e7:a0:11:57:15:3a:c1:
ad:9c:c1:d9:74:d2:f8:1f:66:1d:d3:10:da:dd:ba:
34:ab:90:b6:68:5a:b7:0e:4d:ee:84:1d:c1:1c:3f:
09:23:73:9d:3c:03:99:07:3e:8a:41:0b:2d:55:ad:
c7:22:24:9b:b0:08:8a:38:db:64:9f:5f:c0:f4:9d:
51:cc:a7:21:6e:c5:60:25:75:1c:28:25:b6:27:b4:
a6:81:e5:a0:ba:6e:df:c1:c8:78:0d:6a:2d:35:1e:
b7:71
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
bf:0f:50:3f:aa:18:3a:04:62:5a:cd:3a:31:2b:94:38:ed:1e:
2d:29:c5:8e:d2:d3:30:d1:cb:5f:7a:91:ad:5c:4d:e3:40:17:
09:ff:26:91:0c:ef:41:ae:4d:d7:12:98:a9:35:79:82:c5:06:
1e:8d:18:63:45:2c:38:c5:aa:8d:1b:25:16:7a:3a:fd:87:6c:
bd:43:04:52:3b:ad:52:b7:7b:57:49:cd:72:ef:c1:94:86:e2:
84:73:10:ad:9a:d3:95:19:2a:78:f0:38:c5:0c:ae:d0:1b:c7:
cb:a7:0b:60:42:a2:f2:e5:a0:1c:35:8f:21:b8:9d:3e:a4:35:
92:62:8b:a8:c0:09:ef:46:2f:1a:66:0c:a6:9d:eb:39:17:42:
f2:35:82:82:5d:58:6f:ef:4c:79:20:57:2c:d2:5f:04:52:be:
f2:6c:c0:64:53:de:ad:ff:7b:a9:59:0a:f2:ad:50:5d:d8:54:
55:99:58:02:07:bf:79:01:15:3f:02:0b:ac:f9:3e:e3:03:cc:
d0:e0:79:00:df:65:63:08:bf:5a:39:0c:f6:84:42:8f:7f:66:
22:53:a3:ba:79:df:02:77:bc:a9:51:1a:e6:43:73:43:8a:01:
77:bd:fb:77:7a:47:da:c8:6f:35:1a:42:86:ad:94:99:7d:da:
04:d5:36:45
-----BEGIN CERTIFICATE REQUEST-----
MIIDjzCCAncCAQAwggFIMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzER
MA8GA1UEBwwIV2F0ZXJsb28xHzAdBgNVBAoMFlVuaXZlcnNpdHkgb2YgV2F0ZXJs
b28xGDAWBgNVBAMMD2NzLnV3YXRlcmxvby5jYTGB2DCB1QYDVR0RDIHNRE5TLjE9
d3d3LmNzLnV3YXRlcmxvby5jYSxETlMuMj1jcy51d2F0ZXJsb28uY2EsRE5TLjM9
d3d3LnNjZy51d2F0ZXJsb28uY2EsRE5TLjQ9c2NnLnV3YXRlcmxvby5jYSxETlMu
NT1vZHlzc2V5LnV3YXRlcmxvby5jYSxETlMuNj1jcnlzcC51d2F0ZXJsb28uY2Es
RE5TLjc9cmlwcGxlLnV3YXRlcmxvby5jYSxETlMuOD13d3d0ZXN0LmNzLnV3YXRl
cmxvby5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANm7ATNz+qUD
6O5R6xOAgO55OD6PtTUK0/DoGfdjbYmD3Q+ObmrRMYHpdnHP0WaB8x9l5usxn4bj
HZl1UV/jBBJaV79FUENl64U8p9exlNZCrVcS3Ysr9cjCvKo6akp1THDdPQnzL5aX
XmLigBAOCzswKlqGHKN/uEF/vSXmLfcdPBYeTbjDOHHhjQ89EQnbDm6YNYP+0rSi
duH7cVHnoBFXFTrBrZzB2XTS+B9mHdMQ2t26NKuQtmhatw5N7oQdwRw/CSNznTwD
mQc+ikELLVWtxyIkm7AIijjbZJ9fwPSdUcynIW7FYCV1HCgltie0poHloLpu38HI
eA1qLTUet3ECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQC/D1A/qhg6BGJazTox
K5Q47R4tKcWO0tMw0ctfepGtXE3jQBcJ/yaRDO9Brk3XEpipNXmCxQYejRhjRSw4
xaqNGyUWejr9h2y9QwRSO61St3tXSc1y78GUhuKEcxCtmtOVGSp48DjFDK7QG8fL
pwtgQqLy5aAcNY8huJ0+pDWSYouowAnvRi8aZgymnes5F0LyNYKCXVhv70x5IFcs
0l8EUr7ybMBkU96t/3upWQryrVBd2FRVmVgCB795ARU/Agus+T7jA8zQ4HkA32Vj
CL9aOQz2hEKPf2YiU6O6ed8Cd7ypURrmQ3NDigF3vft3ekfayG81GkKGrZSZfdoE
1TZF
-----END CERTIFICATE REQUEST-----
I did the above just as an example. I generated a new key, and will throw it and the CSR away without using them for anything in production.
Notes
The final generated certificate must include the name specified
in the CN field in the Subject Alternative Name section.
For this reason, we arrange to specify it in our CSR, and that
seems to work.
An oddity is, however, that in the corresponding box where GlobalSign
requires you list the SAN values, you must omit that value. (Although
GlobalSign always includes the CN value in the SAN list).
In the submission stage (which will mostly be covered later), at the GlobalSign submission page, you must select
Add specific Subject Alternative Names (SANs)
[ ] No [X] Yes
That expands and opens up four more options - Activate Standard Unified Communications (UC) Support
- Secure Additional Subdomains
- Secure Public IP Addresses
- Secure Additional Domain Names
You actually want to select, expand, and proceed with Secure Additional Subdomains.
The option is badly titled and likely should say Fully Qualified Domain Names
instead of subdomains.
In particular, you will get nowhere if you try Secure Additional Domain Names
since in that case, all names must be non-FQDN, and, I think,
relative to the CN of the certificate.
Actual Certificate Generated by a Very Similar Request
The following production certificate was generated (i.e. received from
GlobalSign after appropriately submitting the CSR at their form page)
using a CSR very similar to the above, but with a different
private/public key pair.
Note where the specified names appear in the Subject Alternative Name
section in the X509v3 extensions section.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:21:90:7a:78:1d:e5:b4:7e:fd:18:b8:b3:48:47:59:2c:f7
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2
Validity
Not Before: Mar 25 17:51:09 2015 GMT
Not After : Mar 25 17:51:09 2016 GMT
Subject: C=CA, ST=Ontario, L=Waterloo, O=University of Waterloo, CN=cs.uwaterloo.ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d9:bb:ed:a7:25:6a:e6:d3:9a:59:95:af:88:2e:
8b:24:2a:97:20:41:51:80:b3:d5:35:6a:6e:a7:0c:
90:dd:3b:ca:ca:d6:4e:9a:2b:69:b0:ee:fa:79:dd:
4e:80:18:08:ef:43:e2:a2:06:07:a8:43:75:10:7e:
f4:ac:d2:70:44:7f:94:11:b4:0a:0b:1b:9a:a9:41:
9b:8b:35:82:da:44:cf:b2:44:54:3a:31:be:80:6c:
79:53:d7:51:9c:4f:e8:75:bd:51:ae:3a:45:4e:d2:
f9:3a:1c:03:c7:d4:9e:c2:ee:3b:8f:9a:80:08:1a:
fc:67:a9:f1:cc:ae:ae:93:8b:52:c4:3e:cf:58:c2:
14:3a:4a:4c:4f:df:86:e3:0c:11:6d:70:22:be:2f:
6b:43:5a:e3:4c:fe:5c:42:52:9c:b0:68:6a:9e:6a:
a2:66:e8:a1:0c:69:0e:94:84:3f:42:ec:53:a7:fa:
d3:1a:eb:b6:f8:ef:eb:cb:97:8e:c4:0d:1d:86:13:
ae:59:2b:a1:d4:8a:27:a9:9b:3a:b1:f8:1e:cc:06:
6b:a7:fe:8a:41:be:12:d2:af:0e:93:5c:97:1d:c7:
8f:f2:e4:0c:aa:3d:e4:f9:3e:bc:04:72:44:df:50:
e3:d8:74:0f:96:93:c9:05:53:fe:14:df:05:8e:0c:
99:07
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2
CPS: https://www.globalsign.com/repository/
X509v3 Subject Alternative Name:
DNS:cs.uwaterloo.ca, DNS:www.cs.uwaterloo.ca, DNS:www.scg.uwaterloo.ca, DNS:scg.uwaterloo.ca, DNS:odyssey.uwaterloo.ca, DNS:crysp.uwaterloo.ca, DNS:ripple.uwaterloo.ca, DNS:wwwtest.cs.uwaterloo.ca
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl
Authority Information Access:
CA Issuers - URI:http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt
OCSP - URI:http://ocsp2.globalsign.com/gsorganizationvalsha2g2
X509v3 Subject Key Identifier:
42:EF:03:65:9D:95:7A:02:67:30:B5:DB:2B:FB:CB:A3:69:2A:9E:1C
X509v3 Authority Key Identifier:
keyid:96:DE:61:F1:BD:1C:16:29:53:1C:C0:CC:7D:3B:83:00:40:E6:1A:7C
Signature Algorithm: sha256WithRSAEncryption
5b:84:5c:ba:46:e7:1e:95:34:1c:8a:92:dd:4a:6c:ef:82:2f:
12:b1:91:05:aa:c4:30:f8:83:75:c4:3e:06:3c:11:4d:0b:14:
7c:a4:d3:ca:e7:a9:e3:93:f3:76:5a:15:1d:81:f4:e4:cf:8d:
0d:1a:93:34:74:7d:15:29:aa:29:26:2e:c4:ea:33:ce:09:9c:
0f:17:f7:2f:ed:92:21:a1:9c:6a:ef:4e:1d:64:7c:51:e5:0a:
bf:1f:41:e9:20:a1:6d:ad:d6:5b:9b:e3:01:95:52:58:8f:b3:
9f:d3:5f:8d:93:bb:ef:ae:37:b1:81:b4:d2:1b:76:2b:1d:4c:
f8:9e:af:ea:2b:21:7a:90:9d:f5:57:5e:e6:4d:0e:44:6c:ae:
39:d3:b0:60:73:82:fa:d9:3d:c9:8a:24:5a:de:d2:6f:33:0a:
5d:51:64:75:f6:24:16:e6:81:1e:2b:da:2a:b8:c7:14:cc:3d:
5d:ee:ec:b4:f4:7c:20:a8:e0:95:05:36:b9:b5:05:e1:c3:26:
08:1e:14:84:19:8f:fa:94:97:2c:78:53:84:64:11:6b:0c:b3:
89:d3:f2:46:ca:3e:f4:2c:61:2d:dd:64:f7:f5:0e:60:cd:79:
8a:38:43:d3:c1:61:26:64:f7:14:59:6f:a2:fb:be:3e:d4:87:
3f:31:8b:8d
-----BEGIN CERTIFICATE-----
MIIFzDCCBLSgAwIBAgISESGQengd5bR+/Ri4s0hHWSz3MA0GCSqGSIb3DQEBCwUA
MGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYD
VQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hB
MjU2IC0gRzIwHhcNMTUwMzI1MTc1MTA5WhcNMTYwMzI1MTc1MTA5WjBtMQswCQYD
VQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzERMA8GA1UEBxMIV2F0ZXJsb28xHzAd
BgNVBAoTFlVuaXZlcnNpdHkgb2YgV2F0ZXJsb28xGDAWBgNVBAMTD2NzLnV3YXRl
cmxvby5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANm77aclaubT
mlmVr4guiyQqlyBBUYCz1TVqbqcMkN07ysrWTporabDu+nndToAYCO9D4qIGB6hD
dRB+9KzScER/lBG0CgsbmqlBm4s1gtpEz7JEVDoxvoBseVPXUZxP6HW9Ua46RU7S
+TocA8fUnsLuO4+agAga/Gep8cyurpOLUsQ+z1jCFDpKTE/fhuMMEW1wIr4va0Na
40z+XEJSnLBoap5qombooQxpDpSEP0LsU6f60xrrtvjv68uXjsQNHYYTrlkrodSK
J6mbOrH4HswGa6f+ikG+EtKvDpNclx3Hj/LkDKo95Pk+vARyRN9Q49h0D5aTyQVT
/hTfBY4MmQcCAwEAAaOCAmswggJnMA4GA1UdDwEB/wQEAwIFoDBJBgNVHSAEQjBA
MD4GBmeBDAECAjA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWdu
LmNvbS9yZXBvc2l0b3J5LzCBsQYDVR0RBIGpMIGmgg9jcy51d2F0ZXJsb28uY2GC
E3d3dy5jcy51d2F0ZXJsb28uY2GCFHd3dy5zY2cudXdhdGVybG9vLmNhghBzY2cu
dXdhdGVybG9vLmNhghRvZHlzc2V5LnV3YXRlcmxvby5jYYISY3J5c3AudXdhdGVy
bG9vLmNhghNyaXBwbGUudXdhdGVybG9vLmNhghd3d3d0ZXN0LmNzLnV3YXRlcmxv
by5jYTAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJ
BgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzL2dz
b3JnYW5pemF0aW9udmFsc2hhMmcyLmNybDCBoAYIKwYBBQUHAQEEgZMwgZAwTQYI
KwYBBQUHMAKGQWh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dz
b3JnYW5pemF0aW9udmFsc2hhMmcycjEuY3J0MD8GCCsGAQUFBzABhjNodHRwOi8v
b2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3Nvcmdhbml6YXRpb252YWxzaGEyZzIwHQYD
VR0OBBYEFELvA2WdlXoCZzC12yv7y6NpKp4cMB8GA1UdIwQYMBaAFJbeYfG9HBYp
UxzAzH07gwBA5hp8MA0GCSqGSIb3DQEBCwUAA4IBAQBbhFy6RucelTQcipLdSmzv
gi8SsZEFqsQw+IN1xD4GPBFNCxR8pNPK56njk/N2WhUdgfTkz40NGpM0dH0VKaop
Ji7E6jPOCZwPF/cv7ZIhoZxq704dZHxR5Qq/H0HpIKFtrdZbm+MBlVJYj7Of01+N
k7vvrjexgbTSG3YrHUz4nq/qKyF6kJ31V17mTQ5EbK4507Bgc4L62T3JiiRa3tJv
MwpdUWR19iQW5oEeK9oquMcUzD1d7uy09HwgqOCVBTa5tQXhwyYIHhSEGY/6lJcs
eFOEZBFrDLOJ0/JGyj70LGEt3WT39Q5gzXmKOEPTwWEmZPcUWW+i+74+1Ic/MYuN
-----END CERTIFICATE-----
If This Does Not Seem to Work
If, even after diddling the GlobalSign submission page to specify
the SANs in an appropriate box, your submission still fails with
something like "SANs do not match certificate request", then you
might need to resort to the more complicated procedure, currently
documented at
* http://apetec.com/support/GenerateSAN-CSR.htm
-- AdrianPepper - 2017-10-27
| IncludeAdrianReferers |
Referers
This topic IncludeCertGenerateCSRAltNames is referred to by...Topic revision: r5 - 2018-04-24 - AdrianPepper
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
- CF Web
- CF Web Home
- Changes
- Index
- Search
- Administration
- Communication
- Hardware
- HelpDeskGuide
- Infrastructure
- InternalProjects
- Linux
- MachineNotes
- Macintosh
- Management
- Networking
- Printing
- Research
- Security
- Software
- Solaris
- StaffStuff
- TaskGroups
- TermGoals
- Teaching
- UserSupport
- Vendors
- Windows
- XHier
- Other Webs
- My links
 |
|
Copyright © 2008-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback