Adding Subject Alternate Names (SAN) to an existing Cert Signing Request (CSR)

certificate csr subject-alternative-names

Can any one tell me how I an add a number of Subject Alternate Names to an existing CSR?

I'm not talking about generating a CSR with SANs or adding SANs at signing time - I know how to do both of these things.

Background: The problem we have is that HP blade chassis, allow you to generate CSRs, but they only allow a single SAN. We can't use a CSR generated elsewhere as we could not use the resultant cert as there is no way (that I can find) to upload the key to the blade chassis.

Our CA's standard process does not allow for adding SANs are signing time. They are willing to experiment, however I am trying to find a solution at our end as this will mean we won't have to rely on them having a non standard process for us - in my experience if they need to use a non standard process life will eventually get difficult. E.g. when a staff member who knows the non standard process is not present due to leave etc.

Current method is to connect to the bladechassis onboard admin via the web gui and generate the CSR with a single CN.

The web gui only allows for a single SAN in the CSR.

Then we self sign it with the following stanza in the openssl config:

[ v3_ca ]
subjectAltName = "DNS:bladesystem8,DNS:bladesystem8.services.adelaide.edu.au,DNS:bladesystem8-backup,DNS:bladesystem8-backup.services.adelaide.edu.au"

The resultant cert has the extra SANs.


If your chassis doesn't support adding SANs, you'll need to get the key off the chassis and generate the CSR with openssl.

Make sure req_extensions = v3_req is uncommented in the [ req ] section.

Add the subjectAltName to the [ v3_req ] section.

Generate a new CSR.

openssl req -new -key extracted_c7000.key -out your_new.csr

You cannot edit an existing CSR.


While cakemox's answer is definitely the easiest if you can somehow get a copy of the private key, there's another way if you can't by basically re-signing the CSR using an "Enrollment Agent" certificate.

This css-security.com blog post has all of the nitty gritty details. But the high level overview of the process looks like this:

  • Acquire an Enrollment Agent Certificate
  • Modify an SSL certificate template to require an EA certificate for issuance
  • Acquire a CSR that needs SAN Information
  • Use the EA certificate to resign the CSR while adding the SAN information

When I tried this personally, I'm pretty sure I skipped the part about modifying the certificate template. Presuming you can generate an Enrollment Agent cert for yourself, the actual process looks something like this.

Create a san.inf with the SAN extension info in it

[Extensions]
2.5.29.17="{text}dns=mysan1.example&dns=mysan2.example"

Re-sign the request

certreq -policy -config "myca.example\CA" orig-request.csr san.inf corrected-request.csr

Submit the corrected request

certreq -submit -config "myca.example\CA" -attrib "CertificateTemplate:MyTemplate" corrected-request.csr

And then proceed as normal with the issuance process.

Related

Will setting up a VM with more than 1 cpu/ core actually improve performance?
Finding out who has modified a Stored Procedure on SQL Server?
UNIX permissions to allow group users to kill each others' processes
SSH-forwarded X11 display from Linux to Mac lost after some time
How Serviceable are Tape Drives?
GeoIP for configuration into nginx
Why can't I create this gluster volume?
Apache not finding folder on File System; Appending "\xe2\x80\x9d" to end of File Paths
Firewalld CentOS 7 Masquerading
Get login name using email address with Powershell
LXC container not starting
How to create TLS SHA256 certificate request