Ĩesky | english
FAQ/subjectAltName (SAN)
What is subjectAltName ?
subjectAltName specifies additional subject identities, but for host names (and everything else defined for subjectAltName) :
subjectAltName must always be used (RFC 3280 4.2.1.7, 1. paragraph). CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software. So if you set subjectAltName, you have to use it for all host names, email addresses, etc., not just the "additional" ones.
subjectAltName and CAcert CSR parser
The CSR parser strips any commonNames and subjectAltNames if the system can't match the domain in the system to your account, you can view domains listed on your account by going to the domains section of the website after you log in, and then clicking on View. (For this link to work, you have to log in with your username and password, not with a client certificate.)
According to the standards commonName will be ignored if you supply a subjectAltName in the certificates, verified to be working in both the latest version of MS IE and Firefox (as of 2005/05/12)...
Add multiple SANs into your CSR with OpenSSL
- Copy your default openssl.cnf file to a temporary openssl-san.cnf file
- Edit the openssl-san.cnf file to add addtl. required parameters
[req] req_extensions = v3_req [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = server1.example.com DNS.2 = mail.example.com DNS.3 = www.example.com DNS.4 = www.sub.example.com DNS.5 = mx.example.com DNS.6 = support.example.com
Create the OpenSSL Private Key and CSR with OpenSSL
- 2 openssl commands in series
openssl genrsa -out srvr1-example-com-2048.key 4096 openssl req -new -out srvr1-example-com-2048.csr -key srvr1-example-com-2048.key -config openssl-san.cnf
Check multiple SANs in your CSR with OpenSSL
- the openssl command
openssl req -text -noout -in <yourcsrfile>.csr
- will result in
eg. Certificate Request: Data: Version: 0 (0x0) Subject: C=DE, ST=Germany, L=City, O=Company, OU=Organisation-Unit, CN=server1.example.com/emailAddress=alias@example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): [...] Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:server1.example.com, DNS:mail.example.com, DNS:www.example.com , DNS:www.sub.example.com, DNS:mx.example.com, DNS:support.example.com Signature Algorithm: sha1WithRSAEncryption [...]
Copy content of CSR file to New Server Cert Form ...
- ... and process the signing request results in an output:
Please make sure the following details are correct before proceeding any further. CommonName: server1.example.com subjectAltName: DNS:server1.example.com subjectAltName: DNS:mail.example.com subjectAltName: DNS:www.example.com subjectAltName: DNS:www.sub.example.com subjectAltName: DNS:mx.example.com subjectAltName: DNS:support.example.com No additional information will be included on certificates because it can not be automatically checked by the system. [submit]
- results in
Below is your Server Certificate -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----
copy & paste the text including
"-----BEGIN CERTIFICATE-----" -and- "-----END CERTIFICATE-----"
- into a new file, e.g. srvr1-example-com-2048-signed-class1.key
Verify the Signed (Public) Keyfile with OpenSSL
- the openssl command
openssl x509 -text -in srvr1-example-com-2048-signed-class1.key -noout
- will result in
Certificate: Data: Version: 3 (0x2) Serial Number: 4451 (0x1163) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Root Validity Not Before: Sep 21 14:41:43 2012 GMT Not After : Oct 21 14:41:43 2012 GMT Subject: CN=server1.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:server1.example.com, othername:<unsupported>, DNS:mail.example.com, othername:<unsupported>, DNS:www.example.com, othername:<unsupported>, DNS :www.sub.example.com, othername:<unsupported>, DNS:mx.example.com, othername:<un supported>, DNS:support.example.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...]
Further Readings