How do we add SANs to a CSR

本来我是把这个篇幅放在某一篇博文里面,后来发现之后的博文可能也需要引用这个方法,因此单独拿出来写一篇。

Generate CSR normally

用Openssl生成私钥和CSR非常简单

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Generate Private key
openssl genrsa -out test.key 2048
Generating RSA private key, 2048 bit long modulus
...........+++
...........................................................................................................+++
e is 65537 (0x10001)
# Generate CSR
openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:AU
State or Province Name (full name) []:Victoria
Locality Name (eg, city) []:Melbourne
Organization Name (eg, company) []:Aufomm
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:www.aufomm.win
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

但是这样生成CSR的问题在于没有办法加SANs到CSR里面,如果是跟CA申请证书还好说,大部分CA都是根据application里面的SAN来前发证书(毕竟每个SAN都要收钱嘛),如果是用Let’s Encrypt来申请证书就必须要求申请人的CSR里面包含所有需要的SANs,因此如何把SANs加到CSR里面是今天我们要解决的问题。

Generate CSR with SANs

Create a config file

首先让我们创建一个config文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[req]
default_bits = 2048
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = Country
ST = State
L = Locality
O = Organisation
CN = Common Name

[ req_ext ]
subjectAltName = @alt_names

# 可以在下面添加所有你需要的SANs,习惯上来说我们会把common name加为第一个SAN
[ alt_names ]
DNS.1 = www.aufomm.win
DNS.2 = aufomm.win
DNS.3 = aufomm-test.com
#DNS.2 = www.your-new-domain.com
#DNS.3 = www.your-another-domain.com
Use the config file to generate CSR
1
2
3
4
5
6
7
8
9
10
11
12
13
openssl req -new -key test.key -out test.csr -config test.conf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country []:AU
State []:Victoria
Locality []:Melbourne
Organisation []:aufomm
Common Name []:www.aufomm.win
Check CSR we just generated
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
openssl req -noout -text -verify -in test.csr
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=AU, ST=Victoria, L=Melbourne, O=aufomm, CN=www.aufomm.win
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
....
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:www.aufomm.win, DNS:aufomm.win, DNS:aufomm-test.com
Signature Algorithm: sha256WithRSAEncryption
....

可以看到这样生成的CSR包含了我们需要的SANs的信息。