Differences

This shows you the differences between two versions of the page.

--- docs:tips_n_tricks:openssl.html [21.10.2017 11:24 CEST] – [Generate RSA key and certificate request] peter
+++ docs:tips_n_tricks:openssl.html [24.01.2019 11:36 CET] – [Subject in config file] peter
@@ Line 1: / Line 1: @@
 ====== OpenSSL ======
-===== Generate RSA key and certificate request =====
+===== Generate RSA key and simple certificate request =====
   openssl genpkey                       \
@@ Line 11: / Line 11: @@
              -key www.usr-local.org.key    \
              -outform PEM                  \
-             -keyout www.usr-local.org.key \
              -subj "/C=DE/ST=Berlin/O=IN Berlin/OU=\/usr\/local/CN=www.usr-local.org" \
              -out www.usr-local.org.csr
+===== Generate certificate request with Subject Alternate Names =====
 See [[https://github.com/openssl/openssl/issues/3311|issue #3311 of openssl on github]] about adding SAN((Subject Alternate Name)) entries. And there are a lot of suggestions [[https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line/91556#91556|in an stackexchange answer]] that was linked from the issue.
+The following approaches did work for me:
+==== Subject in config file ====
+  openssl genpkey                       \
+          -algorithm RSA                \
+          -pkeyopt rsa_keygen_bits:2048 \
+          -out usr-local.org.key        \
+  && openssl req                        \
+          -config usr-local.org.conf    \
+          -new                          \
+          -outform PEM                  \
+          -key usr-local.org.key        \
+          -out usr-local.org.csr
+the config file ''usr-local.org.conf'' might have different (sub)formats:
+<code text>
+[ req ]
+distinguished_name = dn
+req_extensions     = req_cert_extensions
+utf8 = yes
+prompt = no
+[req_cert_extensions]
+subjectAltName=@subject_alt_name
+[ subject_alt_name ]
+DNS.1=usr-local.org
+DNS.2=www.usr-local.org
+DNS.3=ssl.usr-local.org
+DNS.4=smtp.usr-local.org
+[ dn ]
+C=DE
+ST=Berlin
+O=IN Berlin
+.DC=org
+.DC=usr-local
+OU=\/usr\/local
+CN=usr-local.org
+</code>
+==== Subject in command line ====
+  openssl genpkey                       \
+          -algorithm RSA                \
+          -pkeyopt rsa_keygen_bits:2048 \
+          -out usr-local.org.key        \
+  && openssl req                        \
+          -config usr-local.org.conf    \
+          -subj "/C=DE/ST=Berlin/O=IN Berlin/DC=org/DC=usr-local/OU=\/usr\/local/CN=www.usr-local.org" \
+          -new                          \
+          -outform PEM                  \
+          -out usr-local.org.csr
+with config file:
+<code text>
+[ req ]
+distinguished_name = dn
+req_extensions     = req_cert_extensions
+utf8 = yes
+# This sets a mask for permitted string types. There are several options.
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+string_mask = utf8only
+[ req_cert_extensions ]
+subjectAltName= DNS:usr-local.org , DNS:www.usr-local.org , DNS:ssl.usr-local.org , DNS:smtp.usr-local.org
+[ dn ]
+</code>
+==== Generic script ====
+A generic script would be:
+<code bash create_csr.sh>
+#! /bin/bash
+set -o errexit
+name="$1"
+subject="/C=DE/O=\/usr\/local/OU=SSL/CN=${name}"                    ;;
+for dir in /etc/apache2/ssl /etc/ssl/private
+do
+  keyfile="${dir}/${name}.key"
+  [ -f "$keyfile" ] && break
+done
+echo "Found keyfile '$keyfile'"
+openssl req -new -key "$keyfile" -outform PEM \
+            -subj "${subject}" \
+            -config <(cat /etc/ssl/openssl.cnf "${name}.conf") \
+            -out "${name}.csr"
+</code>
+====  ====
+__References__:
+  * https://help.directadmin.com/item.php?id=256
+  * https://www.thomas-krenn.com/de/wiki/Openssl_Multi-Domain_CSR_erstellen
+  * https://github.com/openssl/openssl/issues/3311
+  * https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line/91556#91556
+  * http://openssl.6102.n7.nabble.com/cmd-line-and-subjectAltName-td47538.html#a47548
 ===== Convert CA certifiates =====
@@ Line 50: / Line 170: @@
   openssl x509 -text -noout -inform der -in cert.crt
+===== Convert Formats =====
+==== PEM to pkcs12 ====
+  openssl pkcs12 -export -in cert.pem -inkey key.pem -out result.p12
+==== pkcs12 to PEM ====
+  openssl pkcs12 -in input.p12 -out output.pem
 ===== References =====
@@ Line 56: / Line 186: @@
   * [[http://www.mnxsolutions.com/apache/removing-a-passphrase-from-an-ssl-key.html|Removing a passphrase froman SSL key]]
   * [[http://www-user.tu-chemnitz.de/~hot/SSL/|Praktische Experimente mit OpenSSL]]
+  * [[https://binblog.info/2007/08/15/pem-nach-p12-konvertieren/|#!/bin/blog: PEM nach P12 konvertieren]]
   * ''man fetchmail''\\ ''man openssl''\\ ''man genpkey''\\ ''man req''