Generating a CSR specifying SANs

To see how this inclusion page fits in with similar ones, perhaps see one of

Generate a Certificate Signing Request (CSR) Including Alt Names (SANs)

IncludeCertGenerateCSRAltNames

The method originally shown here was unreliable. It perhaps always was a red-herring, actually. It was based on the notion that using command-line options to specify certificate contents was a good idea. In fact, it would have always been better to learn how to edit and use an appropriate openssl.cnf type file. I will be learning to use such a .cnf file and hope to post details as a better alternative to this method.

  • BLUE is text you type literally
  • RED is text you must modify before typing
But, in fact, in most cases in this page I use literal examples and assume the reader can modify them for their own needs.

In 2015, it seemed that if you wanted to ask for additional Subject Alternative Names (SANs) in your submission to GlobalSign, your CSR needed to contain matching information.

This method used here was taken directly from http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html

Interesting enough, the blogger has replaced his method which I used here, creating a new version to show how to use a .cnf file instead.

Observations regarding CSR and SANs
- SAN list in CSR must match old certificate exactly, including ordering
- SAN list entered in text box must match that, but minus the CN name
- That is, CSR and Certificate contain an extra SAN not in text box
- And you cannot change SANs as a side-effect while renewing

The openssl command tends to be on a normal user path, and has subcommands useful for examining and working with SSL certificates and their components.

For example, you can use the openssl command to give you a more readable (well, detailed) version of the CSR.

    root@www152# openssl req -text < test1.csr
    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject: C=CA, ST=Ontario, L=Waterloo, O=University of Waterloo, CN=cs.uwaterloo.ca/subjectAltName=DNS.1=www.cs.uwaterloo.ca,DNS.2=cs.uwaterloo.ca,DNS.3=www.scg.uwaterloo.ca,DNS.4=scg.uwaterloo.ca,DNS.5=odyssey.uwaterloo.ca,DNS.6=crysp.uwaterloo.ca,DNS.7=ripple.uwaterloo.ca,DNS.8=wwwtest.cs.uwaterloo.ca
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:d9:bb:01:33:73:fa:a5:03:e8:ee:51:eb:13:80:
                        80:ee:79:38:3e:8f:b5:35:0a:d3:f0:e8:19:f7:63:
                        6d:89:83:dd:0f:8e:6e:6a:d1:31:81:e9:76:71:cf:
                        d1:66:81:f3:1f:65:e6:eb:31:9f:86:e3:1d:99:75:
                        51:5f:e3:04:12:5a:57:bf:45:50:43:65:eb:85:3c:
                        a7:d7:b1:94:d6:42:ad:57:12:dd:8b:2b:f5:c8:c2:
                        bc:aa:3a:6a:4a:75:4c:70:dd:3d:09:f3:2f:96:97:
                        5e:62:e2:80:10:0e:0b:3b:30:2a:5a:86:1c:a3:7f:
                        b8:41:7f:bd:25:e6:2d:f7:1d:3c:16:1e:4d:b8:c3:
                        38:71:e1:8d:0f:3d:11:09:db:0e:6e:98:35:83:fe:
                        d2:b4:a2:76:e1:fb:71:51:e7:a0:11:57:15:3a:c1:
                        ad:9c:c1:d9:74:d2:f8:1f:66:1d:d3:10:da:dd:ba:
                        34:ab:90:b6:68:5a:b7:0e:4d:ee:84:1d:c1:1c:3f:
                        09:23:73:9d:3c:03:99:07:3e:8a:41:0b:2d:55:ad:
                        c7:22:24:9b:b0:08:8a:38:db:64:9f:5f:c0:f4:9d:
                        51:cc:a7:21:6e:c5:60:25:75:1c:28:25:b6:27:b4:
                        a6:81:e5:a0:ba:6e:df:c1:c8:78:0d:6a:2d:35:1e:
                        b7:71
                    Exponent: 65537 (0x10001)
            Attributes:
                a0:00
        Signature Algorithm: sha1WithRSAEncryption
             bf:0f:50:3f:aa:18:3a:04:62:5a:cd:3a:31:2b:94:38:ed:1e:
             2d:29:c5:8e:d2:d3:30:d1:cb:5f:7a:91:ad:5c:4d:e3:40:17:
             09:ff:26:91:0c:ef:41:ae:4d:d7:12:98:a9:35:79:82:c5:06:
             1e:8d:18:63:45:2c:38:c5:aa:8d:1b:25:16:7a:3a:fd:87:6c:
             bd:43:04:52:3b:ad:52:b7:7b:57:49:cd:72:ef:c1:94:86:e2:
             84:73:10:ad:9a:d3:95:19:2a:78:f0:38:c5:0c:ae:d0:1b:c7:
             cb:a7:0b:60:42:a2:f2:e5:a0:1c:35:8f:21:b8:9d:3e:a4:35:
             92:62:8b:a8:c0:09:ef:46:2f:1a:66:0c:a6:9d:eb:39:17:42:
             f2:35:82:82:5d:58:6f:ef:4c:79:20:57:2c:d2:5f:04:52:be:
             f2:6c:c0:64:53:de:ad:ff:7b:a9:59:0a:f2:ad:50:5d:d8:54:
             55:99:58:02:07:bf:79:01:15:3f:02:0b:ac:f9:3e:e3:03:cc:
             d0:e0:79:00:df:65:63:08:bf:5a:39:0c:f6:84:42:8f:7f:66:
             22:53:a3:ba:79:df:02:77:bc:a9:51:1a:e6:43:73:43:8a:01:
             77:bd:fb:77:7a:47:da:c8:6f:35:1a:42:86:ad:94:99:7d:da:
             04:d5:36:45
    -----BEGIN CERTIFICATE REQUEST-----
    MIIDjzCCAncCAQAwggFIMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzER
    MA8GA1UEBwwIV2F0ZXJsb28xHzAdBgNVBAoMFlVuaXZlcnNpdHkgb2YgV2F0ZXJs
    b28xGDAWBgNVBAMMD2NzLnV3YXRlcmxvby5jYTGB2DCB1QYDVR0RDIHNRE5TLjE9
    d3d3LmNzLnV3YXRlcmxvby5jYSxETlMuMj1jcy51d2F0ZXJsb28uY2EsRE5TLjM9
    d3d3LnNjZy51d2F0ZXJsb28uY2EsRE5TLjQ9c2NnLnV3YXRlcmxvby5jYSxETlMu
    NT1vZHlzc2V5LnV3YXRlcmxvby5jYSxETlMuNj1jcnlzcC51d2F0ZXJsb28uY2Es
    RE5TLjc9cmlwcGxlLnV3YXRlcmxvby5jYSxETlMuOD13d3d0ZXN0LmNzLnV3YXRl
    cmxvby5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANm7ATNz+qUD
    6O5R6xOAgO55OD6PtTUK0/DoGfdjbYmD3Q+ObmrRMYHpdnHP0WaB8x9l5usxn4bj
    HZl1UV/jBBJaV79FUENl64U8p9exlNZCrVcS3Ysr9cjCvKo6akp1THDdPQnzL5aX
    XmLigBAOCzswKlqGHKN/uEF/vSXmLfcdPBYeTbjDOHHhjQ89EQnbDm6YNYP+0rSi
    duH7cVHnoBFXFTrBrZzB2XTS+B9mHdMQ2t26NKuQtmhatw5N7oQdwRw/CSNznTwD
    mQc+ikELLVWtxyIkm7AIijjbZJ9fwPSdUcynIW7FYCV1HCgltie0poHloLpu38HI
    eA1qLTUet3ECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQC/D1A/qhg6BGJazTox
    K5Q47R4tKcWO0tMw0ctfepGtXE3jQBcJ/yaRDO9Brk3XEpipNXmCxQYejRhjRSw4
    xaqNGyUWejr9h2y9QwRSO61St3tXSc1y78GUhuKEcxCtmtOVGSp48DjFDK7QG8fL
    pwtgQqLy5aAcNY8huJ0+pDWSYouowAnvRi8aZgymnes5F0LyNYKCXVhv70x5IFcs
    0l8EUr7ybMBkU96t/3upWQryrVBd2FRVmVgCB795ARU/Agus+T7jA8zQ4HkA32Vj
    CL9aOQz2hEKPf2YiU6O6ed8Cd7ypURrmQ3NDigF3vft3ekfayG81GkKGrZSZfdoE
    1TZF
    -----END CERTIFICATE REQUEST-----

I did the above just as an example. I generated a new key, and will throw it and the CSR away without using them for anything in production.

Notes

The final generated certificate must include the name specified in the CN field in the Subject Alternative Name section. For this reason, we arrange to specify it in our CSR, and that seems to work. An oddity is, however, that in the corresponding box where GlobalSign requires you list the SAN values, you must omit that value. (Although GlobalSign always includes the CN value in the SAN list).

In the submission stage (which will mostly be covered later), at the GlobalSign submission page, you must select

       Add specific Subject Alternative Names (SANs)
       [ ] No [X] Yes
That expands and opens up four more options
  • Activate Standard Unified Communications (UC) Support
  • Secure Additional Subdomains
  • Secure Public IP Addresses
  • Secure Additional Domain Names

You actually want to select, expand, and proceed with Secure Additional Subdomains. The option is badly titled and likely should say Fully Qualified Domain Names instead of subdomains.

In particular, you will get nowhere if you try Secure Additional Domain Names since in that case, all names must be non-FQDN, and, I think, relative to the CN of the certificate.

Actual Certificate Generated by a Very Similar Request

The following production certificate was generated (i.e. received from GlobalSign after appropriately submitting the CSR at their form page) using a CSR very similar to the above, but with a different private/public key pair. Note where the specified names appear in the Subject Alternative Name section in the X509v3 extensions section.

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                11:21:90:7a:78:1d:e5:b4:7e:fd:18:b8:b3:48:47:59:2c:f7
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2
            Validity
                Not Before: Mar 25 17:51:09 2015 GMT
                Not After : Mar 25 17:51:09 2016 GMT
            Subject: C=CA, ST=Ontario, L=Waterloo, O=University of Waterloo, CN=cs.uwaterloo.ca
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:d9:bb:ed:a7:25:6a:e6:d3:9a:59:95:af:88:2e:
                        8b:24:2a:97:20:41:51:80:b3:d5:35:6a:6e:a7:0c:
                        90:dd:3b:ca:ca:d6:4e:9a:2b:69:b0:ee:fa:79:dd:
                        4e:80:18:08:ef:43:e2:a2:06:07:a8:43:75:10:7e:
                        f4:ac:d2:70:44:7f:94:11:b4:0a:0b:1b:9a:a9:41:
                        9b:8b:35:82:da:44:cf:b2:44:54:3a:31:be:80:6c:
                        79:53:d7:51:9c:4f:e8:75:bd:51:ae:3a:45:4e:d2:
                        f9:3a:1c:03:c7:d4:9e:c2:ee:3b:8f:9a:80:08:1a:
                        fc:67:a9:f1:cc:ae:ae:93:8b:52:c4:3e:cf:58:c2:
                        14:3a:4a:4c:4f:df:86:e3:0c:11:6d:70:22:be:2f:
                        6b:43:5a:e3:4c:fe:5c:42:52:9c:b0:68:6a:9e:6a:
                        a2:66:e8:a1:0c:69:0e:94:84:3f:42:ec:53:a7:fa:
                        d3:1a:eb:b6:f8:ef:eb:cb:97:8e:c4:0d:1d:86:13:
                        ae:59:2b:a1:d4:8a:27:a9:9b:3a:b1:f8:1e:cc:06:
                        6b:a7:fe:8a:41:be:12:d2:af:0e:93:5c:97:1d:c7:
                        8f:f2:e4:0c:aa:3d:e4:f9:3e:bc:04:72:44:df:50:
                        e3:d8:74:0f:96:93:c9:05:53:fe:14:df:05:8e:0c:
                        99:07
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Certificate Policies: 
                    Policy: 2.23.140.1.2.2
                      CPS: https://www.globalsign.com/repository/
    
                X509v3 Subject Alternative Name: 
                    DNS:cs.uwaterloo.ca, DNS:www.cs.uwaterloo.ca, DNS:www.scg.uwaterloo.ca, DNS:scg.uwaterloo.ca, DNS:odyssey.uwaterloo.ca, DNS:crysp.uwaterloo.ca, DNS:ripple.uwaterloo.ca, DNS:wwwtest.cs.uwaterloo.ca
                X509v3 Basic Constraints: 
                    CA:FALSE
                X509v3 Extended Key Usage: 
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 CRL Distribution Points: 
    
                    Full Name:
                      URI:http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl
    
                Authority Information Access: 
                    CA Issuers - URI:http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt
                    OCSP - URI:http://ocsp2.globalsign.com/gsorganizationvalsha2g2
    
                X509v3 Subject Key Identifier: 
                    42:EF:03:65:9D:95:7A:02:67:30:B5:DB:2B:FB:CB:A3:69:2A:9E:1C
                X509v3 Authority Key Identifier: 
                    keyid:96:DE:61:F1:BD:1C:16:29:53:1C:C0:CC:7D:3B:83:00:40:E6:1A:7C
    
        Signature Algorithm: sha256WithRSAEncryption
             5b:84:5c:ba:46:e7:1e:95:34:1c:8a:92:dd:4a:6c:ef:82:2f:
             12:b1:91:05:aa:c4:30:f8:83:75:c4:3e:06:3c:11:4d:0b:14:
             7c:a4:d3:ca:e7:a9:e3:93:f3:76:5a:15:1d:81:f4:e4:cf:8d:
             0d:1a:93:34:74:7d:15:29:aa:29:26:2e:c4:ea:33:ce:09:9c:
             0f:17:f7:2f:ed:92:21:a1:9c:6a:ef:4e:1d:64:7c:51:e5:0a:
             bf:1f:41:e9:20:a1:6d:ad:d6:5b:9b:e3:01:95:52:58:8f:b3:
             9f:d3:5f:8d:93:bb:ef:ae:37:b1:81:b4:d2:1b:76:2b:1d:4c:
             f8:9e:af:ea:2b:21:7a:90:9d:f5:57:5e:e6:4d:0e:44:6c:ae:
             39:d3:b0:60:73:82:fa:d9:3d:c9:8a:24:5a:de:d2:6f:33:0a:
             5d:51:64:75:f6:24:16:e6:81:1e:2b:da:2a:b8:c7:14:cc:3d:
             5d:ee:ec:b4:f4:7c:20:a8:e0:95:05:36:b9:b5:05:e1:c3:26:
             08:1e:14:84:19:8f:fa:94:97:2c:78:53:84:64:11:6b:0c:b3:
             89:d3:f2:46:ca:3e:f4:2c:61:2d:dd:64:f7:f5:0e:60:cd:79:
             8a:38:43:d3:c1:61:26:64:f7:14:59:6f:a2:fb:be:3e:d4:87:
             3f:31:8b:8d
    -----BEGIN CERTIFICATE-----
    MIIFzDCCBLSgAwIBAgISESGQengd5bR+/Ri4s0hHWSz3MA0GCSqGSIb3DQEBCwUA
    MGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYD
    VQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hB
    MjU2IC0gRzIwHhcNMTUwMzI1MTc1MTA5WhcNMTYwMzI1MTc1MTA5WjBtMQswCQYD
    VQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzERMA8GA1UEBxMIV2F0ZXJsb28xHzAd
    BgNVBAoTFlVuaXZlcnNpdHkgb2YgV2F0ZXJsb28xGDAWBgNVBAMTD2NzLnV3YXRl
    cmxvby5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANm77aclaubT
    mlmVr4guiyQqlyBBUYCz1TVqbqcMkN07ysrWTporabDu+nndToAYCO9D4qIGB6hD
    dRB+9KzScER/lBG0CgsbmqlBm4s1gtpEz7JEVDoxvoBseVPXUZxP6HW9Ua46RU7S
    +TocA8fUnsLuO4+agAga/Gep8cyurpOLUsQ+z1jCFDpKTE/fhuMMEW1wIr4va0Na
    40z+XEJSnLBoap5qombooQxpDpSEP0LsU6f60xrrtvjv68uXjsQNHYYTrlkrodSK
    J6mbOrH4HswGa6f+ikG+EtKvDpNclx3Hj/LkDKo95Pk+vARyRN9Q49h0D5aTyQVT
    /hTfBY4MmQcCAwEAAaOCAmswggJnMA4GA1UdDwEB/wQEAwIFoDBJBgNVHSAEQjBA
    MD4GBmeBDAECAjA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWdu
    LmNvbS9yZXBvc2l0b3J5LzCBsQYDVR0RBIGpMIGmgg9jcy51d2F0ZXJsb28uY2GC
    E3d3dy5jcy51d2F0ZXJsb28uY2GCFHd3dy5zY2cudXdhdGVybG9vLmNhghBzY2cu
    dXdhdGVybG9vLmNhghRvZHlzc2V5LnV3YXRlcmxvby5jYYISY3J5c3AudXdhdGVy
    bG9vLmNhghNyaXBwbGUudXdhdGVybG9vLmNhghd3d3d0ZXN0LmNzLnV3YXRlcmxv
    by5jYTAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJ
    BgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzL2dz
    b3JnYW5pemF0aW9udmFsc2hhMmcyLmNybDCBoAYIKwYBBQUHAQEEgZMwgZAwTQYI
    KwYBBQUHMAKGQWh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dz
    b3JnYW5pemF0aW9udmFsc2hhMmcycjEuY3J0MD8GCCsGAQUFBzABhjNodHRwOi8v
    b2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3Nvcmdhbml6YXRpb252YWxzaGEyZzIwHQYD
    VR0OBBYEFELvA2WdlXoCZzC12yv7y6NpKp4cMB8GA1UdIwQYMBaAFJbeYfG9HBYp
    UxzAzH07gwBA5hp8MA0GCSqGSIb3DQEBCwUAA4IBAQBbhFy6RucelTQcipLdSmzv
    gi8SsZEFqsQw+IN1xD4GPBFNCxR8pNPK56njk/N2WhUdgfTkz40NGpM0dH0VKaop
    Ji7E6jPOCZwPF/cv7ZIhoZxq704dZHxR5Qq/H0HpIKFtrdZbm+MBlVJYj7Of01+N
    k7vvrjexgbTSG3YrHUz4nq/qKyF6kJ31V17mTQ5EbK4507Bgc4L62T3JiiRa3tJv
    MwpdUWR19iQW5oEeK9oquMcUzD1d7uy09HwgqOCVBTa5tQXhwyYIHhSEGY/6lJcs
    eFOEZBFrDLOJ0/JGyj70LGEt3WT39Q5gzXmKOEPTwWEmZPcUWW+i+74+1Ic/MYuN
    -----END CERTIFICATE-----

If This Does Not Seem to Work

If, even after diddling the GlobalSign submission page to specify the SANs in an appropriate box, your submission still fails with something like "SANs do not match certificate request", then you might need to resort to the more complicated procedure, currently documented at

* http://apetec.com/support/GenerateSAN-CSR.htm

-- AdrianPepper - 2017-10-27


IncludeAdrianReferers

Referers

This topic IncludeCertGenerateCSRAltNames is referred to by...
Topic revision: r5 - 2018-04-24 - AdrianPepper
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback