Generating client certificates with Subject Alternate Names (SAN)

Document ID : KB000057521
Last Modified Date : 14/02/2018
Show Technical Document Details

Solution

Background

A Subject Alternate Name?is an X.509 extension that allows a client or server certificate to be associated with multiple DNS names, IP addresses, email addresses, or URIs. This is critical for services or clients that have multiple references. For example, a web service may be available at multiple DNS names such as server1.domain.com and server2.domain.com. A subject alternate name will allow the certificate to be associated with multiple domains. Alternatively, a client certificate identified by a CN value can be associated with multiple identifying email addresses. For example, a user may have emails at user@domain1.com and user2@domain2.com that they use to for correspondence. The subject alternate name will allow this certificate to be used in both contexts.

The Gateway is not capable of generating Certificate Signing Requests that support subject alternate names and they must be created manually by an external PKI management application. An enhancement request to enable this functionality is encapsulated in an existing development incident: SSG-8193. To meet this need: The OpenSSL?suite is capable of being configured to generate subject alternate names for certificates in the OpenSSL configuration file. A sample OpenSSL configuration file to meet this specific need is attached to this article.

Procedure

The following procedure is built around the assumption that a private key for a client or server has not yet been created. If the key has already been generate then certain steps may be skipped as appropriate. Additionally, this procedure will generate a self-signed certificate. If a signed certificate is required then provide the CSR to the appropriate entity and do not generate the self-signed certificate.
  1. Generate the new private key.
openssl genrsa -out server.key 512?
  1. Generate a new CSR.
openssl req -new -key server.key -out server.csr -config ./openssl.cnf?
  1. Verify the presence of the SAN in the CSR
openssl req -in server.csr -noout -text?
  1. Generate a signed certificate against the CSR.
openssl x509 -extfile ./openssl.cnf -extensions v3_req -req -signkey server.key -in server.csr -out server.pem?
  1. Verify the presence of the SAN in the CSR
openssl x509 -in server.pem -noout -text?

Attachments:

File Attachments:
TEC0000001288.zip