Net Assured

Net Assured

Network and Security Consultancy

T 07789 400408
Email: [email protected]

Net Assured Limited
84 Goodacre, Orton Goldhay, Peterborough, PE2 5LZ

  • Consultancy
  • Blog
    • Automation
    • Certificates
    • Certifications
    • Lab
    • Security
    • Networking
    • The Bookshelf
    • Personal
  • About
  • Contact

Using OpenSSL to generate CSR’s with Subject Alternative Name

Friday, 19 May 2017 / Published in Certificates, Security

Using OpenSSL to generate CSR’s with Subject Alternative Name

This post details how I’ve been using OpenSSL to generate CSR’s with Subject Alternative Name Extensions. You may have noticed that since Chrome 58, certificates that do not have Subject Alternative name extensions will show as invalid. Amazing, I must have missed the memo on that. Most of the certificates I use in my home lab do not have these extensions so I was getting untrusted certificate warnings. Yes, you can waive your “but certifcates should contain SAN as per the RFC” flag at me but if the device you generate the CSR from does not support adding subject alternative name extensions you have to generate them manually. I’ve had to regenerate pretty much all the certificates in my lab using OpenSSL.

This is the process I followed using OpenSSL on Ubuntu:

Step 1 – Create an OpenSSL configuration file

Create a configuration file and populate the details you need specific to you CSR. In the below example I was generating a new one for my prtg server:

more openssl-csr.conf
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = GB
stateOrProvinceName         = Cambs
localityName               = Peterborough
organizationName           = Net Assured Limited
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = prtg1.corp.netassured.co.uk
DNS.2   = www.prtg1.corp.netassured.co.uk

Step 2 – Using OpenSSL to generate CSR’s with Subject Alternative Name extensions

Generate the request pulling in the details from the config file:

sudo openssl req -out prtg1-corp-netassured-co-uk.csr -newkey rsa:2048 -nodes -keyout prtg1-corp-netassured-co.uk.key -config openssl-csr.conf

You’ll notice that you’ll not be prompted for the SAN extensions but they’ll still be present in the CSR. You can view them by running:

openssl req -noout -text -in prtg1-corp-netassured-co-uk.csr

Now proceed as normal to have your certificate signed by a CA, import to your devices and hopefully not receive any more untrusted certificate errors.

Tagged under: Security, SSL

Recent Posts

  • GNS3 VM on ESXi 802.1q link to external network

    This post details my experiences getting the GN...
  • Restore VMware ESXi Host Configuration

    This is a follow up post to the last one about ...
Tweets by nickpmoody
Follow @nickpmoody

Categories

  • Automation
  • Certificates
  • Certifications
  • Lab
  • Networking
  • Personal
  • Security
  • The Bookshelf

Menu

  • Consultancy
  • Blog
  • About
  • Contact

Get In Touch

T 07789 400408
Email: [email protected]
NET ASSURED LIMITED
84 Goodacre | Orton Goldhay
Peterborough | PE25LZ
Company Registration: 9480811
VAT Registration: 207 5161 32
  • GET SOCIAL

© 2015 - 2023 Copyright by Net Assured Limited | All rights reserved

TOP