ยง2023-08-02
- openssl.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
commonName = yushei.net
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = yushei.net
DNS.2 = orgpi5arch.yushei.net
DNS.3 = orgpi5jammy.yushei.net
DNS.4 = hc4jammy.yushei.net
DNS.5 = n2mnmin.yushei.net
DNS.6 = h2jammy.yushei.net
DNS.7 = h2nas01.yushei.net
DNS.8 = hc4mnmin.yushei.net
- generate private key mongoCA.key
openssl genpkey -algorithm RSA -out mongoCA.key
- generate csr
openssl req -new -key mongoCA.key -out mongoCA.csr -config ./openssl.cnf
$ openssl req -new -key mongoCA.key -out mongoCA.csr -config ./openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
yushei.net []:yushei.net
[alexlai@orpi5Arch chatGPT.x.509]$ open
- generate pem
openssl x509 -req -in mongoCA.csr -signkey mongoCA.key -out mongoCertificate.pem -extfile openssl.cnf -extensions v3_req
$ openssl x509 -req -in mongoCA.csr -signkey mongoCA.key -out mongoCertificate.pem -extfile ./openssl.cnf -extensions v3_req
Certificate request self-signature ok
subject=CN = yushei.net
- verify
$ openssl x509 -in mongoCertificate.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
49:6d:25:09:fd:49:9b:c9:90:14:c0:83:0e:ef:28:59:e5:b6:b0:17
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = yushei.net
Validity
Not Before: Aug 2 12:30:53 2023 GMT
Not After : Sep 1 12:30:53 2023 GMT
Subject: CN = yushei.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b5:c9:7a:54:54:a0:a2:83:9f:97:59:8a:70:8c:
23:f6:a8:65:d7:62:2e:54:c0:d4:ce:98:d3:87:3b:
7b:15:60:89:ad:96:f8:ed:26:98:0a:99:c7:8d:95:
d3:bd:b1:50:44:d8:21:9d:77:1f:e5:c2:6e:8d:c2:
a4:42:2c:a5:68:04:dc:ed:67:18:19:bb:18:98:a1:
42:fc:58:18:6a:83:f9:88:2a:57:b6:a4:79:fb:22:
87:32:2a:67:4d:ae:a0:49:fc:a8:b6:d7:15:b7:42:
5e:b5:95:d5:a4:5d:7f:cb:45:77:8f:b8:ee:a3:ae:
4f:fe:9a:6b:84:68:c9:43:3d:f5:cb:0c:eb:27:a3:
cf:7c:e9:59:27:e1:04:c3:7c:a4:c8:a7:47:a2:85:
e2:87:3e:a2:8e:5b:7d:50:b9:7c:32:fa:74:04:eb:
e7:d6:c8:bf:13:a6:4c:2c:b3:db:c3:4b:66:5e:3a:
bd:35:93:30:79:a9:07:9b:f6:de:fb:fd:59:c5:dc:
45:f7:f6:65:7e:5e:4f:35:f3:6b:9a:e8:be:76:97:
76:ba:cf:63:5b:f3:eb:5b:5f:51:e7:ef:46:56:a5:
ad:46:2d:ba:06:36:08:5f:96:e7:ea:6b:d0:4c:41:
2b:be:b4:94:17:19:fd:5a:4e:67:5b:4b:e4:cf:54:
1d:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:yushei.net, DNS:orgpi5arch.yushei.net, DNS:orgpi5jammy.yushei.net, DNS:hc4jammy.yushei.net, DNS:n2mnmin.yushei.net, DNS:h2jammy.yushei.net, DNS:h2nas01.yushei.net, DNS:hc4mnmin.yushei.net
X509v3 Subject Key Identifier:
41:D2:79:9A:E2:9C:BB:57:05:BB:87:4C:53:B9:A7:31:E0:62:76:71
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
26:05:d6:18:50:d2:81:96:af:51:c7:1e:39:8b:a8:58:9d:f2:
11:c7:54:3d:22:66:28:70:19:97:11:95:bc:b6:1e:a3:b6:d1:
fb:fb:8a:28:5a:2e:a8:48:ae:5d:a5:15:09:d8:fa:92:b9:b2:
30:b7:d9:5a:51:52:cf:16:82:86:f9:2b:bc:8a:4b:e3:f0:54:
6a:33:d7:81:38:f5:92:7f:04:62:78:1f:a2:1d:a4:2e:16:c0:
d8:c0:d0:3b:c6:47:7a:62:2f:1d:9e:2e:7f:95:7b:2d:ba:b8:
a6:a8:35:28:b5:16:5b:ad:c7:64:ff:24:d9:e0:97:3d:e7:f0:
d0:a6:13:93:90:01:86:45:01:e4:79:28:1c:c7:27:24:14:89:
b8:7f:d0:a7:78:f0:0d:8a:a3:58:c2:c8:7c:91:24:bb:48:56:
12:de:7c:4d:8f:4b:5d:13:9d:74:c3:44:6a:d9:9e:07:14:5c:
66:89:a2:14:31:79:79:d9:8b:ea:d2:4a:ad:c8:15:dd:1f:b6:
89:66:8d:f1:d9:d7:44:50:44:e3:60:c6:2a:57:12:51:fe:04:
ef:6b:a8:49:34:5d:43:8b:40:0b:f1:c4:5c:a4:9a:3a:a9:0f:
f2:19:fe:84:91:58:84:c5:1b:92:e2:c3:76:e7:4b:34:83:b9:
7a:0c:4c:1f
openSSL OpenSSL 3.0.8 7 how to gerneate pem with "Subject Alternative Name"
In OpenSSL 3.0.8, you can generate a PEM file with Subject Alternative Name (SAN) extensions using the openssl req command to create a certificate signing request (CSR). The CSR will contain the Subject Alternative Name information, which you can later use to create a PEM file that includes the SAN extension.
Here's the step-by-step process to generate a PEM file with Subject Alternative Name using OpenSSL 3.0.8:
Create a configuration file (e.g., openssl.cnf) with the SAN extension: First, create a text file with the following content and save it as openssl.cnf (you can adjust the values accordingly):
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
commonName = Your_Common_Name
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
Replace Your_Common_Name with the desired Common Name (e.g., your domain name).
Generate the private key: Run the following command to generate a private key:
openssl genpkey -algorithm RSA -out private.key
Generate the certificate signing request (CSR) using the configuration file: Use the following command to generate the CSR:
bash Copy code openssl req -new -key private.key -out request.csr -config openssl.cnf Generate the PEM file with the SAN extension: Finally, generate the PEM file using the following command:
bash Copy code openssl x509 -req -in request.csr -signkey private.key -out certificate.pem -extfile openssl.cnf -extensions v3_req The certificate.pem file should now include the Subject Alternative Name (SAN) extension along with the Common Name (CN) specified in the openssl.cnf configuration file.
Make sure to replace example.com and www.example.com with the actual domain names or IP addresses you want to include in the Subject Alternative Name (SAN) extension. You can add more SANs if needed by adding additional DNS.x entries under the [alt_names] section in openssl.cnf.
User verify certificate.pem has SAN ChatGPT To verify whether the certificate.pem file has Subject Alternative Name (SAN) extensions, you can use the openssl x509 command. Specifically, you can view the extensions section of the certificate and check for the presence of the Subject Alternative Name (SAN) extension.
Here's the command to view the extensions of the certificate:
bash Copy code openssl x509 -in certificate.pem -noout -text This command will display detailed information about the certificate, including the extensions. Look for a section that starts with X509v3 extensions:. If the certificate has a SAN extension, you should see a line similar to the following:
ruby Copy code X509v3 extensions: X509v3 Subject Alternative Name: DNS:example.com, DNS:www.example.com In this example, the certificate contains two DNS entries (example.com and www.example.com) as Subject Alternative Names.
If the certificate does not have a SAN extension, you won't see the X509v3 Subject Alternative Name section in the output.
Please note that the output may vary depending on the content of your certificate and the extensions it contains. The key point is to look for the presence of the X509v3 Subject Alternative Name section to confirm whether SANs are present in the certificate.
Regenerate Send a message
Free Research Preview. ChatGPT may produce inaccurate information about people, places, or facts. ChatGPT July 20 Version ChatGPT