问题
I am creating a CSR which is going to be processed by my server. It needs to set the subjectNameAlt so that the server can process it. I've searched far and wide, and have only found how to do it with normal X509 certs, not X509_REQ. How can I do this (with C and OpenSSL. I.e. I need the equivalent of X509_get_ext_d2i but for X509_REQ)?
回答1:
Programmatically
Have a look at the demos/x509/mkreq.c file that comes with OpenSSL. It creates a request and adds an email address as an alternative name. Stripped down it does the following:
exts = sk_X509_EXTENSION_new_null();
add_ext(exts, NID_subject_alt_name, "email:steve@openssl.org");
X509_REQ_add_extensions(x, exts);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
The add_ext is implemented like this:
int add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, char *value) {
X509_EXTENSION *ex;
ex = X509V3_EXT_conf_nid(NULL, NULL, nid, value);
if (!ex)
return 0;
sk_X509_EXTENSION_push(sk, ex);
return 1;
}
From the command line
I leave this section in place for others, although OP requested an API.
https://wiki.cacert.org/FAQ/subjectAltName advises to copy the openssl.cnf file to a temporary openssl-san.cnf file and then edit that like this:
[req]
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = host1.yourdomain.tld
DNS.2 = host2.yourdomain.tld
来源:https://stackoverflow.com/questions/15964681/how-do-you-add-a-subjectnamealt-extension-to-x509-req