How can I give openssl subject alternative name?

326    Asked by AndreaBailey in Cyber Security , Asked on Feb 25, 2022

 Is it possible to provide a subjectAltName-Extension to the openssl req module directly on the command line? I know it's possible via a openssl.cnf file, but that's not really elegant for batch-creation of CSRs.

Answered by Aashish chaursiya

I find this form a bit more suited for Ansible. It sidesteps the problems of the official module openssl subject alternative name that is somewhat difficult to work with due to library dependency and version problems. The following is an adaptation of a part of the script generation by @Excalibur. You don't need to create a file. This particular playbook outputs the certificate to stdin which you can show with (ansible-playbook -vvvv ) or dump to a variable and output using the debug module.

The domain.key needs to be in the same directory as the playbook.--- - name: Test CSR generation 

 hosts: localhost

  vars:

  - country: 'US'                     # C

  - state: 'NJ'                       # ST

  - locality: 'Trenton'               # L

  - organization: 'ACME'              # O

  - organization_unit: 'IT'           # OU

  - common_name: 'host.example.com'

  - email_address: 'info@example.com' # emailAddress

  - add_subj_alt_name: 'IP:192.0.2.0' # without common_name, e.g. IP:2001:db8::1

  tasks:

  - name: Generate CSR

    shell: |

      STR="/C={{ country }}/

        ST={{ state }}/

        L={{ locality }}/

        O={{ organization }}/

        OU={{ organization_unit }}/

        CN={{ common_name }}/

        emailAddress={{ email_address }}"

      openssl req -new -sha256 -key domain.key -subj "$STR" 

      -reqexts v3_req -extensions v3_req -config 

      <(cat <<<'

      [req]

      distinguished_name = req_distinguished_name

      req_extensions     = v3_req

      x509_extensions    = v3_req

      [req_distinguished_name]

      countryName                         = {{ country }}

      stateOrProvinceNamecountryName      = {{ state }}

      localityName                        = {{ locality }}

      organizationName                    = {{ organization }}

      organizationalUnitName              = {{ organization_unit }}

      commonName                          = {{ common_name }}

      emailAddress                        = {{ email_address }}

      [v3_req]

      # The extentions to add to a self-signed cert

      subjectKeyIdentifier = hash

      basicConstraints     = critical,CA:false

      subjectAltName       = DNS:{{ common_name }},{{ add_subj_alt_name }}

      keyUsage             = critical,digitalSignature,keyEncipherment') -noout -text

    executable: '/bin/bash'


Your Answer

Online Course

Tutorials

Salesforce Tutorial

Software Testing Tutorial

SQL Tutorial

Business Analyst Tutorial

Devops Tutorial

Data Science Tutorial

AWS Tutorial

Hadoop Tutorial

SSRS Tutorial

AWS S3 Tutorial

Functional Testing Tutorial

SSAS Tutorial

Automation Testing Tutorial

Manual Testing Tutorial

Selenium Tutorial

Kubernetes Tutorial

Scala Tutorial

ETL Testing Tutorial

Python Tutorial

Pyspark Tutorial

R Tutorial

Unit Testing Tutorial

API Testing Tutorial

Puppet Tutorial

Integration Testing Tutorial

Chef Tutorial

Jenkins Tutorial

Ansible Tutorial

Vagrant Tutorial

Docker Tutorial

Interviews

Parent Categories

Copyright | JanBaskTraining.com