How to inherit the commonName to the subject alternative name

openssl

On my pc with Windows 10 installed, I have to use OpenSSL. I have downloaded the version 1.0.2n and following this guide: Creating an SSL Certificate with Multiple Hostnames I modified the openssl.cfg configuration file (located in C:\OpenSSL-Win64\bin).

After some testing, I can generate with no problem both keys and certificates.

My problem is the following: my indications for the certificates generation are such that the Subject Alternative Name must have only 1 value and must match with the Common Name field. So, if (filling out certificate) I fill the commonName field with example.com, also the Subject Alternative Name must be example.com. I know that I can change every time the cfg file and set manually the value for the SAN in the v3-req section, but I want avoid this; I'm searching for a way to copy the value I prompt for the common name in the SAN field.

So, I tried this: in the openss.cfg file I went to v3 req section and I changed it in this way:

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment 
subjectAltName = @alt_names

[alt_names] 
DNS.1 = commonName:copy

that is, I tried to exploit the :copy function but, unfortunately, this action does not work. If, after certificate generation, I launch the command 

req -text -noout -in <filename.csr>

to verify my certificate, in the specific section I get this:

X509v3 Subject Alternative Name:
    DNS:commonName.copy

As you can see, the output is the right side of my declaration under the [alt_names] section.

So, the questions are: Is there a method to to inherit the commonName to the subject alternative name? And if yes, how?


Use ${section::name} to read previously defined variables.

Here's an example that works:

[ req ]

prompt             = no
string_mask        = default

# The size of the keys in bits:
default_bits       = 2048
distinguished_name = req_dn
req_extensions     = req_ext

[ req_dn ]

# Or traditional org style:
countryName = gb
organizationName = example
commonName = acme.example.test

[ req_ext ]

subjectAltName = @alt_names

[alt_names]
DNS.1 = ${req_dn::commonName}
DNS.2 = alt.example.test

Followed by:

openssl req -nodes -new -keyout test.key -out test.csr -config ./openssl.cnf

This results in:

openssl req -noout -text -in test.csr

giving:

 ...
    Attributes:
    Requested Extensions:
        X509v3 Subject Alternative Name:
            DNS:acme.example.test, DNS:alt.example.test
Signature Algorithm: sha256WithRSAEncryption
     92:1c:e0:0e:6d:7d:2e:b4:64:c5:ab:ff:6a:37:dd:35:98:58:
 ...

Related

Certbot renew certificates with autoprovided webroot
Apache - Need to rewrite /contact/ to /contact.php
Cannot add a self signed certificate in Firefox
Can I RDP through mstsc and run a script on that remote desktop?
Why does curl work with a specific https site, but wget has problems with certificates?
How can I get Microsoft Command Line Utilities 14 for SQL Server to install?
How do I execute manage.py in Google App Engine?
Why can't I make a failover cluster using iSCSI for shared storage?
Amazon RDS mysql enable slow querry log
Valid SSL certificate for domain/subdomain pointed at a private IP address
Change password of new Windows domain user account without logging into the account?
Split subdomains to separate DNS servers