I am using the following command to create a certificate sign request file.
openssl.exe req -new -key clinetkey.pem -out client.csr" -config client_cacert.cnf
where client_cacert.cnf has the following content
[ req ]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
req_extensions = v3_req
[ req_distinguished_name ]
countryName = xx
stateOrProvinceName = xx
localityName = xx
organizationName = x x
organizationalUnitName = x
commonName = abc.pqr.net
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign, cRLSign
[ v3_req ]
subjectAltName = @alt_names
basicConstraints = CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
[ alt_names ]
DNS.1 = abc.pqr.net
DNS.2 = abc
DNS.3 = localhost
And for signing this CSR I am using following command.
openssl.exe ca -config server_cacert.cnf -in client.csr -out client.pem -extensions v3_req -startdate 2222222222Z
where server_cacert.cnf has the following content.
[ ca ]
default_ca = CA_DD
[ CA_DD ]
dir = yyyy
new_certs_dir = xxxxx
database = xxxxx\index.txt
unique_subject = no
serial = xxxxx\serial
certificate = xxxxx\cacert.pem
private_key = xxxxx\cakey.pem
default_days = 3650
default_md = sha256
preserve = no
policy = policy_DD
[ policy_DD ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ req ]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = rootca
req_extensions = server_ext
string_mask = pkix
[ req_distinguished_name ]
countryName = Country Name
stateOrProvinceName = State or Province Name (full name)
0.organizationName = Organization Name (eg, company)
commonName = Common Name (eg, your name or your server's hostname)
[ rootca ]
basicConstraints = critical, CA:true, pathlen:0
subjectKeyIdentifier = hash
keyUsage = critical, keyCertSign, cRLSign
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign, cRLSign
[ server_ext ]
basicConstraints = CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
[ v3_req ]
subjectAltName = @alt_names
basicConstraints = CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
[ alt_names ]
DNS.1 = xyz.pqr.net
DNS.2 = xyz
DNS.3 = localhost
PQR.NET = domain, XYZ = server and ABC = client
When I am signing the CSR which contain the SAN = abc.pqr.net with server_cacert.cnf, abc.pqr.net is getting replaced with xyz.pqr.net. and so my final client is having SAN=xyz.pqr.net and I am getting the following error.
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <abc.pqr.net> doesn't match any of the subject alternative names: [xyz.hpeswlab.net, xyz, localhost]
How can I add extra SAN (abc.pqr.net and abc) while signing or override it? if with above command it's not possible then any other way to do it?
Edit1: I am looking for any openssl command-line option to do it for me. I have >100 clients and I am not allowed to change server_cacert.cnf file. I am giving my CSR to server and it has to just sign it using some command.
Edit2: windows platform