I need help creating SSL certificate with multiple subjectAltNames, signed with my own selfbrewed CA certificate.
What I need:
I'm on OSX 10.10.5
I have myCA.cer which I use to sign another SSL certificate which has next alternative names:
(not sure if IP can be an alternative name though…)
DNS.1 = foo.bearden.local
DNS.2 = www.bearden.local
DNS.3 = 192.168.1.58
I need to import this certificate to my iphone which already has myCA.cer. That's how it's going to be verified in iphone's OS.
What I do:
I run this shell script:
cat > ./cust.cnf <<-EOF
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = *.bearden.local/ CN=192.168.1.58
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = foo.bearden.local
DNS.2 = www.bearden.local
DNS.3 = 192.168.1.58
EOF
openssl genrsa -out foo.key 2048 -config ./cust.cnf && \
openssl req -new -out foo.csr -key foo.key -config ./cust.cnf && \
openssl x509 -req -sha256 -in foo.csr -extfile ./cust.cnf -out foo.crt -CAkey myCA.key -CA myCA.cer -days 365 -CAcreateserial -CAserial serial
Problem/Question:
1 -- Wildcard in CN doesn't work (Google chrome still says it's untrusted, even though I've set complete trust options in keychain)
2 -- When I add the cert to keychain (myCA.cer is already there) it recognizes it as valid and trusted, but the cert itself (foo.crt) doesn't have Alternative DNS names which I mentioned in config.
Please help me to get my multiple Alt DNS names for this kind of certificate
thank you!
openssl x509 -req
too. The SAN information are probably not taken from the CSR.-extfile
option. Please look also at the examples using this option.