How to sign certificates while retaining SAN fields

I recently wrote a post about certificate signing – specifically, about how to create and sign a certificate request so that you end up with one certificate signed by another. One thing I did not cover there, was how to include Subject Alternative Names (SAN) data in the signed certificate. To be honest, I did not realize I needed that at first, but it soon became obvious, and figuring out how to do it actually took some work.

In the end I found I had to use a different OpenSSL command for the actual signing step, and to create an extra, separate config file for the SAN data. If you’ve followed steps 1-4 in the original post, you should be fine – just replace step 5 with the following:

Create a config-file with the SAN data

I called this file extensions.cnf, and it contained the following (with server names anonymized, obviously):

[SAN]
subjectAltName="DNS:my-server-name.northeurope.cloudapp.azure.com, DNS:api.my-server-name.northeurope.cloudapp.azure.com, DNS:other-url.northeurope.cloudapp.azure.com"

To be safe, I saved this as an ANSI text file, in the same way as described in the original post. This config file was saved next to the certificate request (myreq.pem in the previous post). The signed certificate could now be created using:

openssl x509 -req -days 365 -CA certauth/ca.crt -CAkey certauth/ca.key -CAcreateserial -extensions SAN -extfile extensions.cnf -in myreq.pem -out signed-cert.crt

A couple of points here:

  • x509 -req is a different command for generating (and signing) the certificate, and replaces ca from the original post.
  • -config certauth.conf which referred to the config file for the CA is replaced with a couple of simple parameters: -days 365 which specifies the validity period of the cert (1 year), -CA certauth/ca.crt which points to the cert to use for signing, and -CAkey certauth/ca.key which points to it’s corresponding private key.
  • -extensions SAN -extfile extensions.cnf includes the SAN section of the file we created above, while -in and -out obviously specify the request defining the certificate, and the name of the file to write it to.

Working out how to do this was a little frustrating at times, but also interesting and enlightening once I got it to work. I hope it may save you some time and frustrations!

Cheers!

2 thoughts on “How to sign certificates while retaining SAN fields

Engage and contribute for the common benefit of mankind!

This site uses Akismet to reduce spam. Learn how your comment data is processed.