How can I provide openssl subjectaltname directly on the command line?

735    Asked by AnishaDalal in Cyber Security , Asked on Sep 26, 2022

 Is it possible to provide a subjectAltName-Extension to the openssl req module directly on the command line? I know it's possible via an openssl.cnf file, but that's not really elegant for batch-creation of CSRs.

Answered by Andrew Jenkins

My solution was to pass openssl subjectAltName via an environment variable.


First have this added to openssl.conf:

[ san_env ]
subjectAltName=${ENV::SAN}
Then set the environment variable before invoking openssl:
export SAN=DNS:value1,DNS:value2
openssl req -extensions san_env -subj '/CN=value1' ...

Note: the -extensions san_env parameter needs to be present when signing the CSR as well as when generating it. Therefore, for CA-signed CSRs add -extensions san_env to the openssl ca command as well.



Your Answer

Interviews

Parent Categories