tag:blogger.com,1999:blog-375315255567275930.post5378656864705609438..comments2024-02-15T13:53:46.555+05:30Comments on I Think Tech: Creating Wildcard self-signed certificates with openssl with subjectAltName (SAN - Subject Alternate Name)Brahmana (Srirang)http://www.blogger.com/profile/10677241604486586254noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-375315255567275930.post-86614245702457260872016-04-20T20:51:05.579+05:302016-04-20T20:51:05.579+05:30Thanks for this post. I found that I had to put b...Thanks for this post. I found that I had to put both mydomain.com and *.mydomain.com in the alt_names section. Regardless of what I specified as the CN, I'd still get an error about the cert was only valid for one name until I added both to the alt_names section. Leohttps://www.blogger.com/profile/03312032964932128837noreply@blogger.comtag:blogger.com,1999:blog-375315255567275930.post-50722145946901110532016-02-29T22:13:35.488+05:302016-02-29T22:13:35.488+05:30Many thanks to this Information . It will help me ...Many thanks to this Information . It will help me very much. My Clients expext that they can <a href="https://globalprotec.com/de" rel="nofollow">find</a><br /> a SSL Certificate at our Website. Not all, but with international Clients, you have to thing internationalHanshttps://www.blogger.com/profile/00737191122339730632noreply@blogger.comtag:blogger.com,1999:blog-375315255567275930.post-35583166939886385112016-01-13T18:23:06.589+05:302016-01-13T18:23:06.589+05:30Post is very informative,It helped me with great i...Post is very informative,It helped me with great information so I really believe you will do much better in the future.<br /><a href="https://internetz.me/en/tour/vpn/" rel="nofollow">Owncloud Privacy Services</a>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-375315255567275930.post-45879076111455791852016-01-11T17:34:04.293+05:302016-01-11T17:34:04.293+05:30I visited your blog for the first time and just be...I visited your blog for the first time and just been your fan. I Will be back often to check up on new stuff you post! <br /><a href="https://www.rapidvpn.com/" rel="nofollow">Buy VPN With Bitcoin</a>Jhon Marshalhttps://www.blogger.com/profile/04118920802938626798noreply@blogger.comtag:blogger.com,1999:blog-375315255567275930.post-10000321745311795892016-01-08T02:42:46.577+05:302016-01-08T02:42:46.577+05:30I am really very agree with your qualities it is v...I am really very agree with your qualities it is very helpful for look like home. Thanks so much for info and keep it up. <br /><a href="http://softwaredownloaded.com/" rel="nofollow">mac design software</a>Jhon Marshalhttps://www.blogger.com/profile/04118920802938626798noreply@blogger.comtag:blogger.com,1999:blog-375315255567275930.post-66516109424650497492015-11-19T23:27:18.703+05:302015-11-19T23:27:18.703+05:30I know that people say there are always vulnerabil...I know that people say there are always vulnerabilities, but what if there weren't. Or to be much more realistic; hard to find. What do hackers do then? If there is nothing for them to exploit how can they gain access to what ever it is that they are targeting? Is finding vulnerabilities then exploiting them the only way? <br /><br />For the record, I have no interest in unethical hacking. I just want to find other ways to protect my website and programs.<br /><a href="https://www.cdnfinder.com/" rel="nofollow">cdn services</a>Anonymoushttps://www.blogger.com/profile/14987324446528852132noreply@blogger.comtag:blogger.com,1999:blog-375315255567275930.post-80760629291973904682015-04-01T19:26:17.741+05:302015-04-01T19:26:17.741+05:30Just found the answer for myself:
Instead of using...Just found the answer for myself:<br />Instead of using the "-signkey device.key" option for self signing you just use the "-CA, -CAkey, -CAserial" options to sign with your root CA<br /><br />But also make sure to use the Extensions like described above with "-extensions v3_req -extfile openssl.cnf"JoVaRihttps://www.blogger.com/profile/17160202339946223299noreply@blogger.comtag:blogger.com,1999:blog-375315255567275930.post-6033468562626501682015-04-01T19:11:33.957+05:302015-04-01T19:11:33.957+05:30Now comes the hard part:
Signing your CSR with alt...Now comes the hard part:<br />Signing your CSR with altNames with your self signed root certificate while keeping the alt names. <br />Please tell me that you know how to accomplish this!JoVaRihttps://www.blogger.com/profile/17160202339946223299noreply@blogger.comtag:blogger.com,1999:blog-375315255567275930.post-5974970896665778702014-11-13T21:38:43.171+05:302014-11-13T21:38:43.171+05:30I believe you don't have to edit /etc/ssl/open...I believe you don't have to edit /etc/ssl/openssl.cnf (putting altnames there seems silly; req_extensions = v3_req is set by default isn't it?), just make an alt.txt containing <br /><br />[v3_req]<br />subjectAltName = @alt_names<br />[alt_names]<br />DNS.1 = domain1<br />DNS.2 = domain2<br />etc<br /><br />and supply it to -extfileAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-375315255567275930.post-88436044668865879852014-06-22T22:30:43.353+05:302014-06-22T22:30:43.353+05:30I'm not understanding what you're saying. ...I'm not understanding what you're saying. I'm guessing you mean CSR not SCR? It's not really a question of putting the cart before the horse.<br /><br />I'm asking if you are the CA and you receive a CSR to sign, shouldn't there be something embedded in the request that includes the extensions rather than the person sending the CSR having to send extensions in a config file separately? Unless I'm misunderstanding something, shouldn't the CA's function just be to sign off on the request and not to have to obtain extensions in addition to the request it's signing?<br /><br />I don't think you've answered my question, but thanks I guess?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-375315255567275930.post-25312832609578882802014-06-20T12:28:43.276+05:302014-06-20T12:28:43.276+05:30anakha000 you signed it using scr provided. Then p...anakha000 you signed it using scr provided. Then provided scr has the key that has been generated before. It works successively. In other words you do not put the cart before the horse in order to ride it, first you put the horse and then the cart, not vice versa :-) Anonymoushttps://www.blogger.com/profile/09891485566463816469noreply@blogger.comtag:blogger.com,1999:blog-375315255567275930.post-8211732060623923432014-06-11T04:44:17.942+05:302014-06-11T04:44:17.942+05:30Thank you for this! It was driving me nuts trying ...Thank you for this! It was driving me nuts trying to figure out why the OpenSSL provided CA.pl script wasn't including extensions when signing. They don't have this switch in their own file!<br /><br />Can anyone here explain to me a way to sign with the extensions included in the request rather than resupplying them? For example, if I receive a request from someone and I want to sign it, why should I have to have their openssl.cnf extensions? Shouldn't I be able to decide whether to sign it as requested rather than having to provide the extensions myself?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-375315255567275930.post-2553898631701540372014-06-01T20:42:32.426+05:302014-06-01T20:42:32.426+05:30Perfect! Thank you for this posting! -extfile opti...Perfect! Thank you for this posting! -extfile option is exactly what I was looking for! I was stuck at this point too, but just typed a few lines in Google and your blog saved my day! Otherwise I would also have to tediously, monotonically, and boringly read through all the MAN pages and stuff.. Thank you for sharing!Anonymoushttps://www.blogger.com/profile/09891485566463816469noreply@blogger.comtag:blogger.com,1999:blog-375315255567275930.post-33249424934748799162014-05-14T16:42:34.134+05:302014-05-14T16:42:34.134+05:30> "... You just specify that your Common N...> "... You just specify that your Common Name (CN) a.k.a FQDN is *.yourdomain.com ..." - wrong. CN is deprecated for DNS names. Use the SAN.<br /><br />Yeah browser (chrome in my case) seems to prefer SAN over the wildcard CN when both are present. Fixed with wildcard SAN (though they say it's against the RFC):<br /><br />[alt_names]<br />DNS.1 = yourdomain.com<br />DNS.2 = *.yourdomain.com<br />Artem Vasilievhttps://www.blogger.com/profile/13881512929474647141noreply@blogger.comtag:blogger.com,1999:blog-375315255567275930.post-4204807977868931312014-05-01T09:42:58.122+05:302014-05-01T09:42:58.122+05:30"... You just specify that your Common Name (..."... You just specify that your Common Name (CN) a.k.a FQDN is *.yourdomain.com ..." - wrong. CN is deprecated for DNS names. Use the SAN.Unknownhttps://www.blogger.com/profile/14669886992006241515noreply@blogger.com