Generating certificate requests with additional subject identities using OpenSSL

Posted on by Dean Grant

The below provides steps to how the process used to create a certificate request to issue to certificate authority server in an internal environment. However, the steps to create the certificate request can be performed if submitting a certificate request to a third party certificate authority.

Firstly, I will create a configuration file (openssl.cnf) to be used generating the certificate request. The certificate request will be created specifying a default key size of 2048 bits, and sha256 digest algorithm. In this example, I will be submitting a certificate request for the server ‘server1.domain.local’ with the additional subject identities ‘server1,’192.168.0.1’, ‘server1.domain.local’ and ‘www.dean.local’.

[ req ]
default_bits = 2048
​default_md = sha256
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:server1, IP:192.168.0.1, DNS:server1.dean.local, DNS: www.dean.local

[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = Midlothian
localityName = Edinburgh
0.organizationName = Dean Grant
organizationalUnitName = Servers
commonName = server1.dean.local ​

We will now create the certificate request to send to the certificate authority, to which the original public key generated in the certificate request will be converted to be in RSA format and remove the original file. Once the certificate request has been generated place the in a location which may be accessible for the submission to the certificate authority server.

cd /tmp
openssl req -new -nodes -out server1.dean.local.csr -keyout orig-server1.dean.local.key -config openssl.cnf
openssl rsa -in orig-server1.dean.local.key -out server1.dean.local.key
rm -f orig-server1.dean.local

In this example I am submitting my certificate request to a certificate authority running Active Directory Certificate Services on Windows Server 2012. The certificate request is submitted specifying the ‘WebServer’ certificate template and the certificate request file created previously. If prompted select the certificate authority which will now create certificate file (server1.dean.local.crt) and the certficate chain file (server1.dean.local.pfx).

cd %temp%
certreq -attrib "CertificateTemplate:WebServer" -submit server1.dean.local.csr server1.dean.local.crt server1.dean.local.pfx

The certificate files may now be placed on the server to which you configure encryption, depending on the certificate file requirements you should have the following files available.

server1.dean.local.crt # certificate file
server1.dean.local.pfx # certificate chain file in personal exchange file (.pfx) format.
server1.dean.local.key # private key file

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s