0

I know you can use -addext with openssl req..... but, are you able to do that with openssl ca....? I would like to be able to add Subject Alternative Names with only one command without having to edit the configuration file.

Matthew
  • 1
  • 1
  • 2
    What's the point in adding alternative names in CA certificates? – Crypt32 Feb 21 '19 at 20:47
  • I'm using a CA to sign server/domain certificates, in most modern browsers if you don't have a Subject Alternative Name then it'll reject the certificate as invalid. – Matthew Feb 21 '19 at 23:26
  • Dupe https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line : you can (set and) use an env var, or on Unix with some shells you can use process substitution `<( ... )` to create a temporary file – dave_thompson_085 Feb 22 '19 at 03:12
  • @Matthew I believe you misunderstand the SAN requirement. It is required only in end entity SSL certificates. CA certificates do not fall under this requirement. – Crypt32 Feb 22 '19 at 05:29
  • I'm using `openssl ca` to sign domain certificates, as listed above. I'm not adding the Subject Alternative Names to the CA, but rather the end-entity certificates I am signing, as stated above. I want to know if I can add SANs in the command. – Matthew Feb 24 '19 at 02:30

0 Answers0