ssl - Subject Alternative Name not present in certificate

Question

I have generated a CSR that includes the field subject alt names:

openssl req -out mycsr.pem -new -key mykey.pem -days 365

When I inspect this it looks as expected with a new field present:

X509v3 Subject Alternative Name:
    DNS: my.alt.dns

However when I use this to sign a certificate that field is omitted for some reason.

I generate it with the following command:

openssl ca -out mycert.pem -infiles mycsr.pem

Can it be that my CA cert have to include the same Alt name for it to be included?

Answer 1

For everybody, who doesn′t like to edit the system-wide openssl.conf, there′s a native openssl CLI option for adding the SANs to the .crt from a .csr. All you have to use is openssl′s -extfile and -extensions CLI parameters.

Here′s an example:

openssl x509 -req -days 3650 -in alice.csr -signkey aliceprivate.key -out alice.crt -extfile alice-csr.conf -extensions v3_req

This requires a alice-csr.conf file, which looks like this (fill in your appropriate data) and which was used to generate the .csr with the command openssl req -new -key aliceprivate.key -out alice.csr -config alice-csr.conf:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = DE
ST = Thuringia
L = Erfurt
O = Alice Corp
OU = Team Foo
CN = server-alice

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = server-alice
DNS.2 = localhost

Keep in mind, that the -extensions v3_req option corresponds to the [v3_req] section in the file alice-csr.conf, where you define you Subject Alternative Names aka the domains, which you want to issue your certificate to.

As I always appreciate fully comprehensible examples, where one could reproduce every step, I created an example project featuring Spring Boot microservices: https://github.com/jonashackt/spring-boot-rest-clientcertificates-docker-compose