OpenSSL Certificate With subjectAltName One-Liner

Datetime:2016-08-22 21:45:51          Topic: OpenSSL           Share

To create a SelfSigned OpenSSL certificate on one line which contains subjectAltName(s) you must use -extensions and -config as follows.

openssl req \
  -newkey rsa:4096 \
  -days 3650 \
  -nodes \
  -x509 \
  -subj "/C=US/ST=Distributed/L=Cloud/O=Cluster/CN=*.api-scispike.com" \
  -extensions SAN \
  -config <( cat $( [[ "Darwin" -eq "$(uname -s)" ]]  && echo /System/Library/OpenSSL/openssl.cnf || echo /etc/ssl/openssl.cnf  ) \
    <(printf "[SAN]\nsubjectAltName='DNS.1:*.api-scispike.com,DNS.2:api.scispike.com,DNS.3:app.scispike.com'")) \
  -keyout private_key.pem \
  -out server.crt

Looking at the output of x509 you should be able to see X509v3 extensions indicating our success.

$ openssl x509 -noout -certopt no_sigdump,no_pubkey -text -in server.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b1:93:3d:ed:5f:48:64:b4
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Distributed, L=Cloud, O=Cluster, CN=*.api-scispike.com
        Validity
            Not Before: Jun 11 00:25:48 2016 GMT
            Not After : Jun  9 00:25:48 2026 GMT
        Subject: C=US, ST=Distributed, L=Cloud, O=Cluster, CN=*.api-scispike.com
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:*.api-scispike.com, DNS:api.scispike.com, DNS:app.scispike.com

I came up with this solution by piecing together man pages and random google result. I was surprised at how many incomplete and inaccurate answers were out there. What may have been more surprising was the complete lack of a full intact solution.

Some examples simply output csr s or require creating larger portions of openssl.cnf . The worst were examples which appended subjectAltName to the subject . They look like they are going to work but then don't.

Inspiration for my approach came from this nearly complete answer at StackExchange: Provide subjectAltName to openssl directly on command line . Buried near the bottom is a partial example (which i originally missed) which indicates -extensions rather than -reqexts . This is rather an important detail considering we are trying to make a certificate not a csr .





About List