OpenSSL Certificate (Version 3) with Subject Alternative Name

Question

I\'m using the OpenSSL command line tool to generate a self signed certificate. It seems to be working correctly except for two issues. I can\'t get it to create a .cer with a S

Answer 1

I got it to work with the following version (emailAddress was incorrectly placed) :

[ req ]
default_bits        = 2048 
default_keyfile     = privkey.pem 
distinguished_name  = req_distinguished_name
req_extensions          = v3_req
x509_extensions         = v3_ca

[req_distinguished_name]
C = [Press Enter to Continue]
C_default = US 
C_min = 2 
C_max = 2 

O = [Press Enter to Continue]
O_default = default 

0.OU=[Press Enter to Continue]
0.OU_default = default 
1.OU=[Press Enter to Continue]
1.OU_default = PKI 
2.OU=[Press Enter to Continue] 
2.OU_default = ABCD
commonName = Public FQDN of server 
commonName_max = 64
emailAddress = [Press Enter to Continue] 
emailAddress_default = myEmail@email.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName         = email:myEmail@email.com
issuerAltName          = issuer:copy

Notes:

• To generate the certificate I used:

  openssl req -config req.cnf -new -nodes -out req.pem -x509
  

• I haven't seen much use for issuerAltname (if you have I'd be interested to know where).
• Using issuer:always isn't recommended for authorityKeyIdentifier.
• Using email:copy now works with subjectAltName.
• v3_req section is superfluous (as well as req_extensions line.