ssl - ssl - appending local domain to commonName and SubjectAltName when signing a CSR as my own CA - answerstu - answerstu.com answerstu

ssl - appending local domain to commonName and SubjectAltName when signing a CSR as my own CA

I have a device that can generate its own keypair and a self-signed certificate based on those keys. It can then generate a CSR from that and I can export that from the device. I cannot influence the contents of the cert or the csr.

The "CommonName" it uses is based on the DeviceName which cannot contain any '.'

Now when I sign that CSR with my local/private CA, and import the final cert back into the device and then goto https://mydevice.local the browser will of course complain because the "CommonName" for the cert is "mydevice" without the local domain suffix.

Is there a config option for the openssl command so that the "CommonName" gets a pre-configured suffix like ".local" in this example? Also I would like to add the same String to "SubjectAltName" so that Chrome stops complaining as well.

1 Answer

  1. Jeffery- Reply

    2019-11-15

    The CA software is free to throw away the subject and substitute its own. Everything in the CSR, except for the public key itself, is for informative purposes only.

    For openssl req and openssl ca, use the -subj option to override the subject:

    openssl ca -in device.csr -out device.crt -subj "/O=TabascoNet/OU=Devices/CN=mydevice.local"
    

    To override the extensions use the -extensions option, and put the desired extensions (subjectAltName, extendedKeyUsage, etc) in openssl.cnf.

Leave a Reply

Your email address will not be published. Required fields are marked *

You can use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>