OpenSSL - Add Subject Alternate Name (SAN) when signing with CA

How can I add a Subject Alternate Name when signing a certificate request using OpenSSL (in Windows if that matters)?

I've generated a basic certificate signing request (CSR) from the IIS interface. Now, I'd like to add several subject alternate names, sign it with an existing root certificate, and return the certificate to complete the signing request.

Every tutorial I could find involves generating a new private key and a brand new CSR, however I was under the impression that the private key resides on the requesting computer (which I wouldn't necessarily have access to). I just want to sign the request while adding the alternate names. I'm relatively new to OpenSSL and CA topics so this may be a misunderstanding on my part.


Personally I add the alt names at CSR generation, so I know that works (there's a little byplay in default conf files both for generation and signing).

For changing afterwards, as far as I remember the Alt Names are extensions, and it seems you can override or add the extensions you want while doing the signing. I will shamelessly copy:

From: Patrick Patterson @carillonis.com
Newsgroups: mailing.openssl.users
Subject: Re: Sign CSR after modifying data in CSR possible?
Date: Tue, 5 Jan 2010 15:14:05 -0500
Message-ID: <mailpost.1262722567.7762451.82829.mailing.openssl.users@FreeBSD.cs.nctu.edu.tw>

when you are using the openssl CA (strangely enough: openssl ca) command, you can give it numerous options, including which Subject value to use (the -subj argument), and which extensions to use (via the -extfile and -extensions arguments).

so you can set both which extensions you want and which Subject you want (causing both values in the CSR to be completely ignored) by a command like:

openssl ca -config /etc/myca/openssl.cnf                       \
    -extfile /etc/myca/openssl-exts.cnf                        \
    -extension sig-medium                                      \
    -subj "/C=CA/O=Example Company/OU=Engineering/CN=John Doe" \
    -in req.csr                                                \
    -out john-doe.pem

Where:

/etc/myca/openssl-exts.cnf contains:

[ sig-medium ]
basicConstraints                = CA:FALSE
keyUsage                        = critical, digitalSignature
extendedKeyUsage                = emailProtection, anyExtendedKeyUsage
nsComment                       = "Do Not trust - PURE TEST purposes only"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer
subjectAltName                  = @testsan
authorityInfoAccess             = @aia_points
crlDistributionPoints           = @crl_dist_points

[ testsan ]
email = [email protected]
DNS = www.example.com
dirName = test_dir
URI = http://www.example.com/
IP = 172.16.0.1
otherName.0 = 1.3.6.1.4.1.311.20.2.3;UTF8:[email protected]
otherName.1 = 1.3.6.1.5.5.7.8.7;IA5STRING:_mail.example.com
otherName.2 = 1.3.6.1.5.5.7.8.5;UTF8:[email protected]

[aia_points]
caIssuers;URI.0=http://www.example.com/caops/Signing-CA.p7c
caIssuers;URI.1=ldap://dir.example.com/<DN of Signing 
CA>?cACertificate;binary?base?objectclass=pkiCA

[crl_dist_points]
URI.0=http://www.example.com/caops/test-signca1-crl.crl
URI.1=ldap://dir.example.com/<DN of Signing 
CA>?certificateRevocationList;binary?base?objectclass=pkiCA