1

OpenSSL: how to generate a CSR with interactively solicited Subject Alternative Names (SANs)?

view story
linux-howto

http://serverfault.com – I wish to configure OpenSSL such that when running openssl req -new to generate a new certificate signing request, I am prompted for any alternative subject names to include on the CSR. I have added this line to the [req_attributes] section of my openssl.cnf: subjectAltName = Alternative subject names This has the desired effect that I am now prompted for SANs when generating a CSR: $ openssl req -new -out test.csr -key ./test.key <<< You are about to be asked to enter information that will be incorporated into your certificate request. (HowTos)

taskli's picture
Submitted by taskli on 12/06/2012

Stories similar to OpenSSL: how to generate a CSR with interactively solicited Subject Alternative Names (SANs)?

I wrote this bit of code to get the Common Name of the subject field in the SSL certificate for a given domain:

$ echo -e "GET / HTTP/1.1\nEOT" | openssl s_client -connect google.com:443 2>&1 | grep subject subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com

However, this only gives me the “subject” value.

I've generated a certificate using openssl and place it on the client's machine, but when I try to connect to my server using that certificate, I error mentioned in the subject line back from my server.

Here's what I've done.

I installed an recompiled both Apache and PHP5, but it seems I am doing something wrong and unable to omit the old openssl. How can I configure and recompile to use only the new one?

From my phpinfo():

Apache/2.4.2 (Unix) OpenSSL/0.9.8o

OpenSSL support enabled OpenSSL Library Version OpenSSL 0.9.8o 01 Jun 2010 OpenSSL Header Version OpenSSL 1.0.1 14 Mar 2012

I have a confusion to choose the best way for upgrading the OpenSSL on my Linux machine.

1*Through the yum Update.*

# yum update

I know this will update the entire packages. But If I want to specifically update OpenSSL

Can I use # yum update OpenSSL

2.

I'm new in linux.

We went through the steps of revoking an SSL Certificate used by our OpenLDAP server and renewing it but we are unable to start slapd.

Here are the commands we used:

openssl verify hostname_domain_com_cert.pem

We got back that the certificate was expired but "OK"

We revoked the certificate we'd been using:

openssl ca -revoke /etc/ssl/certs/hostname_domain_com_cert.pem

Revoking worked

I'm trying to generate a CSR with godaddy.

I'm not sure how to recompile PHP with OpenSSL? I've been looking around the OpenSSL PHP page and the OpenSSL tutorials but I don't see any openssl.so or php-openssl.so around my server?

Is there a simple package on apt-get channel so I can install it from there?

I just need to recompile PHP with OpenSSL, but I have no idea how to do this.

EDIT: I run a dedicated server and it's Ubuntu 11.10.

php, openssl and GOST 9 weeks 4 hours ago

I'm trying to sign an S/MIME with PHP, using a pair of GOST-encrypted certificate and a private key.

When using openssl itself from a console everything is fine:

/usr/local/openssl/bin/openssl cms -sign -in file.txt -out signedfile.txt -signer p12.pem (signedfile.txt is created)

/usr/local/openssl/bin/openssl cms -verify -in signedfile.txt -out signedddata.txt -no_signer_cert_verify -issuer_che