How to add multiple email addresses to an SSL certificate via the command line

certificatesopensslssl

I know that by adding/modifying the SubjectAltName entry in openssl.cnf this can be achieved, but is there a way to do so without having to modify that file every time?

Best Answer

You don't have to mess around with the openssl.cnf file in any way.

The following command demonstrates how to generate a self-signed certificate with SAN for the email nobody@example.com:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout example.key -out example.crt -subj '/CN=Nobody' \
  -extensions san \
  -config <(echo '[req]'; echo 'distinguished_name=req';
            echo '[san]'; echo 'subjectAltName=email:nobody@example.com')

The trick here is to include a minimal [req] section that is good enough for OpenSSL to get along without its main openssl.cnf file.

In OpenSSL ≥ 1.1.1, this can be shortened to:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout example.key -out example.crt -subj '/CN=Nobody' \
  -addext 'subjectAltName=email:nobody@example.com'

Here we are using the new -addext option, so we don't need -extensions and -config anymore.

Don't forget to verify the contents of the generated certificate:

openssl x509 -noout -text -in example.crt

Related Solutions

How to install a system-wide SSL certificate on openSUSE

As already mentioned SUSE supports ca-certificates starting with openSUSE 13.1 / SLES 12.

The difference to debian/Ubuntu is the directory for your certififcates. The SLES man page to update-ca-certificates has these directories:

FILES
   /usr/share/pki/trust/anchors
          Directory of CA certificate trust anchors.

   /usr/share/pki/trust/blacklist
          Directory of blacklisted CA certificates

   /etc/pki/trust/anchors
          Directory of CA certificate trust anchors for use by the admin

   /etc/pki/trust/blacklist
          Directory of blacklisted CA certificates for use by the admin

The openSUSE package mentions these:

- Packages are expected to install their CA certificates in 
  /usr/share/pki/trust/anchors or /usr/share/pki/trust (no extra subdir) instead
  of /usr/share/ca-certificates/<vendor> now. The anchors subdirectory is for
  regular pem files, the directory one above for pem files in
  openssl's 'trusted' format.

How to add SubjectAltNames to end-entity certificate in private PKI

OpenSSL will only copy the extension from the request to the certificate if it is configured to do so.

The option is called copy_extensions within the [ca] section of your config file.

If it is missing, or set to none then no extensions will be copied from your request to your certificate.

If set to copy it will copy any additional extensions from the request that are not in the certificate.

If set to copyall it will copy all extensions, overwriting any that are in the certificate.

man ca will tell you about it. It also comes with a warning. If you causally sign any request with the openssl ca command, when this option is set; you could end up issuing certificate with extensions such as CA:True. Check your requests first.

Best Answer

Related Solutions

How to install a system-wide SSL certificate on openSUSE

How to add SubjectAltNames to end-entity certificate in private PKI

Related Question