La mia richiesta di certificato ha SAN:
» openssl req -in csr/example.com.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=example.com, O=Something, C=XX, ST=YYY, L=Someplace
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e3:5c:b4:4c:7b:b1:8f:9f:66:0e:0d:de:d1:c6:
e0:48:c9:ba:1c:00:e9:22:f9:44:fd:91:53:c3:81:
a8:99:7b:8b:48:f6:32:aa:58:cf:ff:47:d6:b6:20:
d4:53:a7:6d:03:02:bd:75:dd:ca:aa:81:2d:f1:fd:
67:c1:4a:fe:d7:6f:0e:5c:41:13:0f:d8:30:ea:a6:
0f:2f:fd:56:43:df:be:5f:68:c5:5f:8a:fd:ad:9c:
c4:e6:87:b4:5b:1f:36:a8:b5:d3:aa:98:c7:5f:08:
0e:65:42:e6:d0:4d:3d:51:b3:33:af:59:0f:17:2d:
7e:99:d0:58:7a:00:85:65:ff:a2:4e:3b:ca:de:ec:
fb:bb:c4:53:50:c2:a8:90:b9:09:3d:ee:91:af:24:
f4:3e:0f:62:d2:eb:4a:77:a2:72:b8:11:5e:6c:4c:
95:99:03:4f:3e:48:dc:e5:95:3c:b6:ce:2f:50:d8:
12:8e:98:67:44:3b:a7:2d:46:04:de:96:3e:c8:89:
21:1d:e6:ce:ed:2f:24:32:85:ee:4e:35:b3:19:d7:
fe:00:4e:e1:a1:1c:3a:9d:ba:72:39:eb:bc:f8:b3:
4e:43:07:0a:4c:a2:aa:35:5b:95:88:13:15:0f:bb:
a9:77:37:66:0e:3a:05:c2:95:fd:cf:50:f5:bb:bd:
4d:07
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:example.com, DNS:www.example.com
Signature Algorithm: sha256WithRSAEncryption
2a:60:b5:f8:1e:aa:72:c1:7d:c8:aa:2f:09:82:71:0f:25:7a:
1c:2b:b2:87:4c:9e:d3:82:50:b6:da:52:d3:09:a1:70:5a:ea:
56:94:a8:b9:52:87:cd:35:40:35:51:c9:72:5e:a6:be:8e:e9:
d2:9f:63:1a:4f:62:a3:2b:83:10:80:8a:6a:a9:de:7f:f6:42:
b5:b8:a7:d5:8e:dc:33:a5:6a:5a:08:d6:8c:ab:cd:75:74:cd:
1d:12:ef:72:dd:6c:4d:95:f9:cf:ad:ea:6e:73:e5:cc:4a:e5:
0a:48:65:20:42:c3:46:0b:6a:1b:3e:49:b1:4e:1d:03:4d:80:
e0:de:fa:fd:52:96:a5:6d:88:d0:a7:66:d6:fa:0a:ed:89:91:
31:b3:0c:3a:18:f8:91:0c:1a:ca:21:22:40:af:24:14:e5:9c:
04:5b:2a:d6:a4:bf:3f:04:00:7d:d1:35:47:e4:c5:58:83:0e:
87:e2:70:c0:9a:89:cc:89:88:67:df:9d:cb:8d:4e:a4:a2:fa:
f7:36:4c:44:b2:0a:e1:73:b4:a7:58:b8:5b:16:22:d4:19:b0:
d5:a2:83:08:4b:d9:22:8e:85:7f:c7:86:8d:97:f8:b1:b6:5b:
86:b2:c7:a5:09:da:78:4d:c0:39:b5:4e:b1:0d:a2:74:04:95:
04:92:ed:16
Ma il certificato l'ha perso:
» openssl x509 -in certs/example.com.crt -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 17807092983826911732 (0xf71f80b9075a91f4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=OOO, L=LLLL, ST=STST, C=CC
Validity
Not Before: Mar 20 10:46:25 2018 GMT
Not After : Aug 2 10:46:25 2019 GMT
Subject: CN=example.com, O=OOO, C=CC, ST=STST, L=LLLL
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e3:5c:b4:4c:7b:b1:8f:9f:66:0e:0d:de:d1:c6:
e0:48:c9:ba:1c:00:e9:22:f9:44:fd:91:53:c3:81:
a8:99:7b:8b:48:f6:32:aa:58:cf:ff:47:d6:b6:20:
d4:53:a7:6d:03:02:bd:75:dd:ca:aa:81:2d:f1:fd:
67:c1:4a:fe:d7:6f:0e:5c:41:13:0f:d8:30:ea:a6:
0f:2f:fd:56:43:df:be:5f:68:c5:5f:8a:fd:ad:9c:
c4:e6:87:b4:5b:1f:36:a8:b5:d3:aa:98:c7:5f:08:
0e:65:42:e6:d0:4d:3d:51:b3:33:af:59:0f:17:2d:
7e:99:d0:58:7a:00:85:65:ff:a2:4e:3b:ca:de:ec:
fb:bb:c4:53:50:c2:a8:90:b9:09:3d:ee:91:af:24:
f4:3e:0f:62:d2:eb:4a:77:a2:72:b8:11:5e:6c:4c:
95:99:03:4f:3e:48:dc:e5:95:3c:b6:ce:2f:50:d8:
12:8e:98:67:44:3b:a7:2d:46:04:de:96:3e:c8:89:
21:1d:e6:ce:ed:2f:24:32:85:ee:4e:35:b3:19:d7:
fe:00:4e:e1:a1:1c:3a:9d:ba:72:39:eb:bc:f8:b3:
4e:43:07:0a:4c:a2:aa:35:5b:95:88:13:15:0f:bb:
a9:77:37:66:0e:3a:05:c2:95:fd:cf:50:f5:bb:bd:
4d:07
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
58:fa:f2:83:e1:34:50:f7:f2:04:28:af:0d:e7:27:8d:36:03:
d3:a9:07:69:ed:5c:3e:2a:ed:e9:2a:58:f8:a3:ef:9b:4e:a6:
ee:0a:a8:19:84:9d:5a:51:e0:7f:eb:3d:24:be:d9:9e:84:5b:
4a:6f:57:10:b6:6b:1e:e9:12:91:bd:55:47:20:79:7f:1a:a5:
83:b6:5c:04:7f:06:3f:f4:97:af:a5:27:7a:81:b7:08:b8:16:
dd:f1:ab:6d:5a:f8:07:11:f3:97:96:86:08:13:42:b9:de:25:
38:3e:ee:84:96:93:70:2a:a6:fc:7f:29:25:5d:a8:4c:c7:7c:
3f:7a:c2:d4:9d:6e:cc:0e:b0:2c:38:dd:4c:d3:91:65:fd:cc:
f8:ec:4d:9c:d4:88:79:e8:fc:3a:ee:8f:00:dd:9e:95:5c:ca:
d8:bd:f7:e8:7c:cc:b4:9e:53:6c:60:d8:7a:d2:f2:4f:4a:76:
3f:0c:33:6f:cf:d0:72:93:39:7e:12:e7:19:f4:e2:77:bf:a0:
b7:57:22:a9:34:25:51:86:15:26:3a:8c:b2:00:29:d8:5f:98:
69:f9:b0:36:75:a6:ca:2f:67:dc:5a:11:b2:c3:00:ab:05:6c:
40:2c:77:d5:0d:53:1b:bb:d6:1f:dd:cd:88:95:26:e1:88:32:
f7:92:0b:ef
-----BEGIN CERTIFICATE-----
MIIDMjCCAhoCCQD3H4C5B1qR9DANBgkqhkiG9w0BAQsFADBQMR0wGwYDVQQKExRE
YW5pZWwgTWV0cm8gU3lzdGVtczEUMBIGA1UEBxMLRHVlc3NlbGRvcmYxDDAKBgNV
BAgTA05SVzELMAkGA1UEBhMCREUwHhcNMTgwMzIwMTA0NjI1WhcNMTkwODAyMTA0
NjI1WjBmMRQwEgYDVQQDDAtleGFtcGxlLmNvbTEdMBsGA1UECgwURGFuaWVsIE1l
dHJvIFN5c3RlbXMxCzAJBgNVBAYTAkRFMQwwCgYDVQQIDANOUlcxFDASBgNVBAcM
C0R1ZXNzZWxkb3JmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA41y0
THuxj59mDg3e0cbgSMm6HADpIvlE/ZFTw4GomXuLSPYyqljP/0fWtiDUU6dtAwK9
dd3KqoEt8f1nwUr+128OXEETD9gw6qYPL/1WQ9++X2jFX4r9rZzE5oe0Wx82qLXT
qpjHXwgOZULm0E09UbMzr1kPFy1+mdBYegCFZf+iTjvK3uz7u8RTUMKokLkJPe6R
ryT0Pg9i0utKd6JyuBFebEyVmQNPPkjc5ZU8ts4vUNgSjphnRDunLUYE3pY+yIkh
HebO7S8kMoXuTjWzGdf+AE7hoRw6nbpyOeu8+LNOQwcKTKKqNVuViBMVD7updzdm
DjoFwpX9z1D1u71NBwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBY+vKD4TRQ9/IE
KK8N5yeNNgPTqQdp7Vw+Ku3pKlj4o++bTqbuCqgZhJ1aUeB/6z0kvtmehFtKb1cQ
tmse6RKRvVVHIHl/GqWDtlwEfwY/9JevpSd6gbcIuBbd8attWvgHEfOXloYIE0K5
3iU4Pu6ElpNwKqb8fyklXahMx3w/esLUnW7MDrAsON1M05Fl/cz47E2c1Ih56Pw6
7o8A3Z6VXMrYvffofMy0nlNsYNh60vJPSnY/DDNvz9Bykzl+EucZ9OJ3v6C3VyKp
NCVRhhUmOoyyACnYX5hp+bA2dabKL2fcWhGywwCrBWxALHfVDVMbu9Yf3c2IlSbh
iDL3kgvv
-----END CERTIFICATE-----
Quale potrebbe essere la ragione? Il CA_default
della CA radice ha:
copy_extensions = copy
MODIFICARE
Aggiunta di una copia della mia configurazione (modificata) (per il certificato di certificazione CA):
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = data
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = MyOrg
organizationalUnitName = Organizational Unit Name
emailAddress = something@here.net
emailAddress_max = 40
localityName = ThisLocation
stateOrProvinceName = ThisState
countryName = RQ
countryName_min = 2
countryName_max = 2
commonName = My Certificate Authority
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = Organizational Unit Name
localityName_default = ThisLocation
stateOrProvinceName_default = ThisState
countryName_default = RQ
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
EDIT2
Il conf per la CSR:
#
# OpenSSL configuration file, for generating CSRs
#
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Some Org
organizationalUnitName = Some Unit
emailAddress = here@there.net
localityName = SomeLoc
stateOrProvinceName = SomeState
countryName = RQ
commonName = The Common Name
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = $ENV::ALTNAME
ALTNAME="$ALTNAME" openssl x509 -req -in csr/$domain.csr -CA data/certs/rootCA.pem -CAkey data/private/rootCA.key -CAcreateserial -out data/certs/$domain.crt -days 500 -sha256
. Non uso alcun file di configurazione per la firma, quindi non sono sicuro di come "forzare la versione 3"