OpenSSL CSR with Different Names one-line

By
Emanuele “Lele” Calò

October 30, 2014

2017-02-16—​Edit—​I modified this publish to make use of a distinct technique than what I used within the unique model trigger X509v3 extensions weren’t created or seen appropriately by many certificates suppliers.

I discover it exhausting to recollect a interval in my complete life wherein I issued, reissued, renewed and revoked so many certificates.

And whereas that’s often enjoyable and fascinating, there’s one factor I typically wanted and by no means discovered, until a couple of days in the past, which is the right way to generate CSRs (Certificates Signing Requests) with AlternativeNames (eg: together with www and non-www area in the identical cert) with a one-liner command.

This want is because of the truth that some certificates suppliers (like GeoTrust) don’t cowl the mum or dad area when requesting a brand new certificates (eg: CSR for www.endpoint.com gained’t cowl endpoint.com), until you particularly request so.

Fortunately that’s not the case with different Certificates merchandise (like RapidSSL) which already supply this function built-in.

This situation is beginning to be problematic extra typically since we’re seeing a rising variety of prospects supporting websites with HTTPs connections masking each www and “non-www” subdomains for his or her web site.

Fortunately the answer is fairly easy and straight-forward and the one requirement is that you must kind the CSR topic on the command line immediately, principally with out using the interactive query mechanism.

For those who managed to grasp how an SSL certificates works this shouldn’t be an enormous drawback, anyway simply as a recap right here’s the listing of the which means for the widespread Topic entries you’ll want:

  • C — Nation
  • ST — State
  • L — Metropolis
  • O — Group
  • OU — Group Unit
  • CN — Frequent Identify (eg: the principle area the certificates ought to cowl)
  • emailAddress — primary administrative level of contact for the certificates

So by utilizing the widespread syntax for OpenSSL topic written through command line you have to specify all the above (the OU is elective) and add one other part referred to as subjectAltName=.

By including DNS.n (the place n is a sequential quantity) entries underneath the “subjectAltName” area you’ll be capable to add as many extra “alternate names” as you need, even not associated to the principle area.

Clearly the first-level mum or dad area shall be lined by most SSL merchandise, until specified otherwise.

So right here’s an instance to generate a CSR which can cowl *.your-new-domain.com and your-new-domain.com, multi functional command:

openssl req -new -sha256 -nodes -out *.your-new-domain.com.csr -newkey rsa:2048 -keyout *.your-new-domain.com.key -config <(
cat <<-EOF
[req]
default_bits = 2048
immediate = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=New York
L=Rochester
O=Finish Level
OU=Testing Area
emailAddress=your-administrative-address@your-awesome-existing-domain.com
CN = www.your-new-domain.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = your-new-domain.com
DNS.2 = www.your-new-domain.com
EOF
)

To be trustworthy, that’s a sub-optimal answer for a couple of causes however principally that it’s not snug to repair in case you probably did a typo or related.

That’s why I desire making a devoted file (you could additionally reuse in future) after which pipe that in openssl.

In fact you should utilize your textual content editor of alternative, I used HEREDOC principally as a result of it exhibits higher by way of weblog posts for my part.

cat > csr_details.txt <<-EOF
[req]
default_bits = 2048
immediate = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=New York
L=Rochester
O=Finish Level
OU=Testing Area
emailAddress=your-administrative-address@your-awesome-existing-domain.com
CN = www.your-new-domain.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = your-new-domain.com
DNS.2 = www.your-new-domain.com
EOF

# Let’s name openssl now by piping the newly created file in
openssl req -new -sha256 -nodes -out *.your-new-domain.com.csr -newkey rsa:2048 -keyout *.your-new-domain.com.key -config <( cat csr_details.txt )

Now with that I’m capable of generate correct multi-domain CSRs successfully.

Please be aware using the -sha256 choice to allow SHA256 signing as a substitute of the previous (and now undoubtedly deprecated SHA1).

See also  Red Giant Trapcode Suite, Particle Simulations & 3D Effects

Because of all our readers for all of the hints, concepts and suggestiong they gave me to enhance this publish, which apparently remains to be very helpful to a whole lot of System Directors on the market.

safety
sysadmin
tls


Feedback

Go to the GitHub Difficulty to touch upon this publish.

Jon Jensen commented on October 31, 2014

Thanks, Lele. Nice to have a single command for that.

One factor I am interested in: I imagine the RFCs state that when you use a Topic Different Identify, you must provide all names as SANs, and the CN might be ignored by purchasers. If I perceive appropriately, meaning you must listing e.g. www.endpoint.com because the CN, and each www.endpoint.com and naked endpoint.com as SANs.

Are you able to verify or deny that?

Emanuele ‘Lele’ Calo’ commented on November 29, 2014

After some investigation I lastly discovered a correct reply.

As might be learn right here, evidently “some browsers” (sure, IE) might seek advice from this RFC strictly sufficient that in the event that they discovered a SAN area they will not think about the CN area and solely use the domains discovered within the SANs.

Whereas the unique “older” RFC did not particularly endorsed nor inspired that conduct, with the brand new RFC there was extra confusion on the right way to learn that half so some browser went that manner.

The ultimate reply is: because it’s by no means an issue to have one area in each fields (CN and SAN) however it may be an issue to have the principle area solely within the CN when utilizing SANs, it is higher to have all domains current in each fields.

For the reason that CN solely helps one area, it is common observe to place the principle area there, after which repeat it within the SAN area together with all the extra ones.

Deikensentsu commented on January 20, 2015

This doesn’t appropriately generate the x509 certificates with the v3 extensions required for correct compliance with the RFC spec.

This may be verified by producing a certificates after which doing an ‘openssl req -in yourfile.csr -noout -text’ and on the lookout for the v3 data.

I am nonetheless considering discovering a one-liner, however thus far I’ve needed to construct a openssl.cnf in response to this different weblog publish and handed it in. http://apetec.com/support/GenerateSAN-CSR.htm

Emanuele ‘Lele’ Calo’ commented on January 21, 2015

@Deikensentsu That is true.

Anyway I discovered that almost all certificates authorities are pleased with the CSR generate that manner and can create a certificates securing the correct domains (NameCheap, GoDaddy, GeoTrust, ecc..)

Anyway thanks to your enter, I will add a line within the publish textual content.

Have an incredible day.

sushil rangari commented on January 22, 2015

Hello ,

your command will not be working for me, it giving me error like beneath

Error opening Personal Key endpoint.com.key
5133:error:02001002:system library:fopen:No such file or listing:bss_file.c:352:fopen(‘endpoint.com.key’,’r’)
5133:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load Personal Key

  1. once I take away endpoint.com.key from the command ,the csr which will get genrated would not have SAN in it, that is what I acquired in CSR

—–BEGIN CERTIFICATE REQUEST—–
MIIB8zCCAVwCAQAwgbIxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazER
MA8GA1UEBxMITmV3IFlvcmsxEjAQBgNVBAoTCUVuZCBQb2ludDEVMBMGA1UECxMM
SG9zdGluZyBUZWFtMRkwFwYDVQQDExB3d3cuZW5kcG9pbnQuY29tMRowGAYJKoZI
hvcNAQkBFgthQGdtYWlsLmNvbTEbMBkGA1UdERMSRE5TLjE9ZW5kcG9pbnQuY29t
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwp37aqOrAwCVWez7wh15oHK24
5LHMjh1WnNwOfdE/ZXurzD5Aipl3Xqdt70ECCujOHzYKELPSmpCvoGgNYU8BzWk/
Q94pqc7DZVzIqMPwmrwocGCntTvdiDclr4x2Gb7yR3X+SitTMFBE7NC1SLJkz6pz
pua0m27pf83D0QFxdQIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEAdlYkMF+hIPEv
LyFCWFenaIPCpzfwiiCq7dgdefWUlh4agKTl1km0E1z/ZnkYhsTNGLE/E/MNrdkz
e2l/cvImEJEtb/mZlCBrHTgUaFjjX4yqhOcZbOkvSn8uJWkVvtcgcDUO+btfctp2
wBiDhc5rgzReWWo6IHPCTFIIE3KXbQg=
—–END CERTIFICATE REQUEST—–

on decoding above csr its giving me like beneath

Electronic mail: a@gmail.com/subjectAltName=DNS.1=endpoint.com

Please recommend

sushil rangari commented on January 24, 2015

Hiya Emanuele,

Thanks for replying again. Sure i do have some fundamental information of Certificates Generations.

I changed the contents of the your command as my want, however the desired CSR was not generated which i wished. like specifically for SAN

I’ve added www.area.com as CN and underneath subjectAltName=DNS.1=area.com

however the acquired SAN underneath e mail part

Electronic mail:identify@gmail.com/subjectAltName=DNS.1=area.com

am I doing a little factor improper ? do I have to made modifications in openssl conf file as effectively ?

Please recommend .will probably be useful

Thanks
Sushil R

Emanuele ‘Lele’ Calo’ commented on January 24, 2015

@sushil_rangari evidently one thing may have been improper within the command you used to generate the certificates. To be able to be of any assist I might nee to see the steps you took to create the certificates. Please create a pastebin and I will be joyful to have a look and attempt to assist.

sushil rangari commented on January 24, 2015

Hiya Emanuele,

right here is the instructions which I’m operating

  1. [root@master ~]# openssl req -new -sha256 -nodes -subj ‘/C=US/ST=New York/L=New York/O=IT/OU=Internet hosting Crew/CN=www.area.com/emailAddress=sushil.rangari84@gmail.com/subjectAltName=area.com’ > www.area.com.csr
    Producing a 1024 bit RSA personal key
    ……………++++++
    …………………….++++++
    writing new personal key to ‘privkey.pem’

  1. [root@master ~]# cat www.area.com.csr
    —–BEGIN CERTIFICATE REQUEST—–
    MIIB8TCCAVoCAQAwgbAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazER
    MA8GA1UEBxMITmV3IFlvcmsxCzAJBgNVBAoTAklUMRUwEwYDVQQLEwxIb3N0aW5n
    IFRlYW0xFzAVBgNVBAMTDnd3dy5kb21haW4uY29tMSkwJwYJKoZIhvcNAQkBFhpz
    dXNoaWwucmFuZ2FyaTg0QGdtYWlsLmNvbTETMBEGA1UdERMKZG9tYWluLmNvbTCB
    nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1vHtUOHwPwajeEcXURRXzcs6aVre
    vdKoG1M7FM8k2ryhtBaK0dLSbqyCb5huak7g9vnPG9IY8GIKyYHYUvN//QnPUomU
    1zso2RJVKw0Bykkf4rRZSxkHDZsGLBNnw1Ut40utz92buNNSSWfq8l58kha9v+nH
    UqGYB8KWVyns5zECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4GBAHwqV3SHCVlwRovB
    ra7b1SuRi1xXNXT5CT6FJWWVducisA9vxGTQ5pwSpvIexv3kAmv73ofWAyD1HOPM
    BpSYv96Yw8PTnDh1Vz7vLMtvk1Ty4Bin4/oWx9p9kY1jj4/HGOmsmp0/yGRcbmhm
    0zfR4jjctWE7t/jgwr5+EeJ0okS+
    —–END CERTIFICATE REQUEST—–
    [root@master ~]# openssl req -text -noout -verify -in www.area.com.csr
    confirm OK
    Certificates Request:
    Knowledge:
    Model: 0 (0x0)
    Topic: C=US, ST=New York, L=New York, O=IT, OU=Internet hosting Crew, CN=www.area.com/emailAddress=sushil.rangari84@gmail.com/subjectAltName=area.com
    Topic Public Key Information:

Please suggests.

Thanks
Sushil R

sushil rangari commented on January 24, 2015

In my earlier command I missed DNS.1=

however after including the consequence are identical

[root@master ~]# openssl req -new -sha256 -nodes -subj ‘/C=US/ST=New York/L=New York/O=IT/OU=Internet hosting Crew/CN=www.area.com/emailAddress=sushil.rangari84@gmail.com/subjectAltName=DNS.1=area.com’ > www.area.com.csr
Producing a 1024 bit RSA personal key
….++++++
………………………++++++
writing new personal key to ‘privkey.pem’

[root@master ~]# openssl req -text -noout -verify -in www.area.com.csr
confirm OK
Certificates Request:
Knowledge:
Model: 0 (0x0)
Topic: C=US, ST=New York, L=New York, O=IT, OU=Internet hosting Crew, CN=www.area.com/emailAddress=sushil.rangari84@gmail.com/subjectAltName=DNS.1=area.com
Topic Public Key Information:
Public Key Algorithm: rsaEncryption

Thanks
Sushil R

Emanuele ‘Lele’ Calo’ commented on January 26, 2015

Hello Sushil Rangari,
That conduct you seen is identical one the opposite reader seen in saying that it is not “X509v3 compliant”, particularly which means that the SAN shall be a part of the topic area as a substitute of getting a devoted area.
As I anticipated, this isn’t a problem with most certificates supplier on the market (NameCheap, GeoTrust, GoDaddy) whereas it could be a problem when you’re coping with software program or home equipment which wants certificates to be strictly X509v3 compliant.
In that case I recommend utilizing the classical file-based SAN era strategy.

Thanks.

Michael Roedelbronn commented on September 23, 2015

Hello, I used to be questioning how one may use this format and in addition use a problem phrase. After I use the syntax given it doesn’t immediate for any additional data. Placing /challengePassword=…/ does not appear to work.

Andrew Leahy commented on October 14, 2015

Hello Lele,

FYI your one liner did not appear so as to add the subjectAltName to my CSR once I ran it through a CSR decoder. However this one-liner did:

openssl req -new -sha256 -key area.key -subj “/C=US/ST=CA/O=Acme, Inc./CN=example.com” -reqexts SAN -config <(cat /and so on/ssl/openssl.cnf <(printf “[SAN]nsubjectAltName=DNS:example.com,DNS:www.example.com”)) -out area.csr

Cheers, Andrew | Western Sydney Uni

Lyas Spiehler commented on October 28, 2015

I simply developed an online based mostly instrument that can generate this command for you and show the output. http://kernelmanic.com/certificate-request-generator-with-multiple-common-names-and-subject-alternative-names/

Starbeamrainbowlabs – commented on June 28, 2016

Thanks – this publish is basically useful. I’d say although that utilizing “New York” for example within the openssl command itself could be very complicated – I am unable to inform the distinction between the totally different fields. Maybe it must be modified to one thing else?

Jake commented on February 10, 2017

Please replace your publish or delete it.

satish rao commented on February 15, 2017

Hello,
I’m utilizing the beneath command :

openssl req -config openssl.cnf -new -key ./personal/radagast8.key -sha256 -nodes -out radagast9.csr -subj ‘/C=US/ST=Georgia/L=Dulut/O=Ericsson/OU=SV/CN=mdms-settings/
emailAddress=satish.anupindi.rao@ericsson.com/
subjectAltName=DNS.1=mdms-settings,
DNS.2=httpna,
IP.1=10.116.4.195,
IP.2=10.116.4.143′

However I get an error with

Topic Attribute
emailAddress has no recognized NID, skipped
Topic Attribute
subjectAltName has no recognized NID, skipped

What did I do improper ?

Emanuele ‘Lele’ Calo’ commented on February 17, 2017

I lastly discovered a while to reply all of the questions, doubts, hints and considerations above.

Thanks all to your hints, concepts and feedback.

Phillip Odam commented on Might 12, 2017

How about simply…

./generateCSR.sh US ‘New York’ Rochester ‘Finish Level’ ‘Testing Area’ your-administrative-address@your-awesome-existing-domain.com your-new-domain.com

and if you wish to make the argument dealing with versatile see http://wiki.bash-hackers.org/howto/getopts_tutorial

Chances are you’ll not need the argument defaults that I’ve set in generateCSR.sh however as a substitute make at the very least some arguments required

And for the generateCSR.sh…

#!/bin/sh

CSR_DETAILS=$(mktemp)

cat > ${CSR_DETAILS} <<-EOF
[req]
default_bits = 2048
immediate = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=${ENV::COUNTRY}
ST=${ENV::STATE}
L=${ENV::LOCATION}
O=${ENV::ORGANIZATION}
OU=${ENV::ORGANIZATION_UNIT}
emailAddress=${ENV::EMAIL}
CN=www.${ENV::DOMAIN}

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = ${ENV::DOMAIN}
DNS.2 = www.${ENV::DOMAIN}
EOF

export COUNTRY=${1:-US}
export STATE=${2:-New York}
export LOCATION=${3:-Rochester}
export ORGANIZATION=${4:-Finish Level}
export ORGANIZATION_UNIT=${5:-Testing Area}
export EMAIL=${6:-your-administrative-address@your-awesome-existing-domain.com}
export DOMAIN=${7:-your-new-domain.com}

Let’s name openssl now by piping the newly created file in

openssl req -new -sha256 -nodes -out *.${DOMAIN}.csr -newkey rsa:2048 -keyout *.${DOMAIN}.key -config ${CSR_DETAILS}

rm ${CSR_DETAILS}

vaibhav zirmite commented on Might 17, 2017

Hiya,

I’ve a silly however fundamental query about SAN certificates.

Can I exploit underneath “alt_names” DNS names of various servers and totally different domains? for instance:
DNS.1 = server1.exampledomain.com
DNS.2 = server2.exampledomain.at
DNS.3 = server3.exampledomain.com
DNS.4 = server4.exampledomain.at

And use generated SAN certificates on all included servers?

BR/ Vaibhav

Emanuele ‘Lele’ Calo’ commented on Might 17, 2017

Hello vaibhav zirmite,
Sure you undoubtedly can so long as it is possible for you to to validate all of them, not essentially in a single shot.

Hello Phillip Odam,
I am evaluating including your trace, in a barely totally different model, within the unique article. Thanks for taking the time to write down it down.

Phillip Odam commented on Might 19, 2017

Hello Emanuele

No drawback, thanks to your write up because it helped with my automating a self-signed root, intermediate, leaf certificates era.

Phillip

TODD TRIMMER commented on June 8, 2017

Thanks for this!

Manna Anam commented on August 8, 2017

The code might be incorrect – it all the time fails to seek out distinguished identify if not put as the primary entry underneath [req]

Tom Saleeba commented on October 16, 2017

Thanks for the helpful article. Positively a time saver.

bish0polis commented on September 30, 2018

-config <( cat csr_details.txt )

why not simply -config csr_details.txt ?

aghsmith commented on December 18, 2019

Within the command line that inputs the csr particulars file, you employ -sha256. Nonetheless, you additionally use
default_md = sha256
within the textual content of the csr particulars file.
Is that this redundant or are there various things occurring?

Leave a Reply

Your email address will not be published.