incompability between openssl PKCS#10 CSR and openca

Hello people, I have a problem when a make a PKCS#10 CSR with openssl
and try to use it in openca.
This is what I am doing.

I have a configuration file (my.cnf):

        nico@nico-laptop:~/openssl/new$ more my.cnf
        [ req ]
        default_bits            = 1024
        default_md              = sha1
        default_keyfile         = privkey.pem
        distinguished_name      = req_distinguished_name
        prompt                  = no
        req_extensions          = v3_req
        utf8 = yes     # automatically added
        string_mask = utf8only     # automatically added

        [ req_distinguished_name ]
        commonName              = www.test.com
        localityName            = My_Locality
        organizationalUnitName  = My_Unit
        organizationName        = My_Organization
        countryName             = AR

        [ v3_req ]
        basicConstraints        = CA:FALSE
        keyUsage                = nonRepudiation, digitalSignature, keyEncipherment

        subjectAltName          = @alt_names

        [ alt_names ]
        email.0                 = root@...
        DNS.1                   = www.test.com
        DNS.2                   = www.test.net
        DNS.3                   = www.test.org

        nico@nico-laptop:~/openssl/new$

With this file I create the CSR with the following command:
+ openssl req -new -nodes -keyout ./priv.key -out ./req.csr -config ./my.cnf
+ openssl req -out req.pem -in req.csr -config my.cnf

This is the output:
        nico@nico-laptop:~/openssl/new$ openssl req -new -nodes -keyout
./priv.key -out ./req.csr -config ./my.cnf
        Generating a 1024 bit RSA private key
        ..................++++++
        .............++++++
        unable to write 'random state'
        writing new private key to './priv.key'
        -----
        nico@nico-laptop:~/openssl/new$
        nico@nico-laptop:~/openssl/new$ openssl req -out req.pem -in req.csr
-config my.cnf
        nico@nico-laptop:~/openssl/new$


Then I inspect the content of the request and I can see it's all ok:
        nico@nico-laptop:~/openssl/new$ openssl req -text  -in req.pem
        Certificate Request:
            Data:
       Version: 0 (0x0)
       Subject: CN=www.test.com, L=My_Locality, OU=My_Unit,
O=My_Organization, C=AR
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:bb:54:1d:4e:c2:1b:62:88:19:81:76:4e:53:5a:
                   3b:20:fe:d0:37:1e:ec:cb:15:4f:8e:1c:58:57:31:
                   be:4d:38:6f:99:79:81:a3:56:8b:f6:c3:2b:21:59:
                   c4:4e:be:c8:91:9b:5e:32:4b:43:a7:82:17:7a:2a:
                   3c:dc:3b:5c:72:af:22:d7:60:ad:dd:50:00:c5:8c:
                   7d:53:fa:fd:af:6c:12:71:2b:4c:0a:f7:5a:d0:65:
                   a5:7d:45:f1:01:b7:28:ca:c7:39:20:c1:aa:20:6f:
                   de:dc:6d:18:dd:e1:93:d2:d6:05:32:89:ad:55:41:
                   22:87:82:dc:97:ae:a9:00:9f
               Exponent: 65537 (0x10001)
       Attributes:
       Requested Extensions:
           X509v3 Basic Constraints:
               CA:FALSE
           X509v3 Key Usage:
               Digital Signature, Non Repudiation, Key Encipherment
           X509v3 Subject Alternative Name:
               email:root@..., DNS:www.test.com,
DNS:www.test.net, DNS:www.test.org
    Signature Algorithm: sha1WithRSAEncryption
       a7:7d:72:21:cb:3f:d4:4a:1e:ab:20:4e:83:21:d8:0e:fa:87:
       5f:03:71:f4:38:4a:2b:60:76:3b:2a:8e:59:5a:a6:2f:70:28:
       6c:71:e1:90:4d:a9:19:9b:76:a5:b0:6b:bf:78:8e:43:81:08:
       d4:73:79:c5:72:d0:79:82:b0:56:93:60:58:c6:3b:64:7d:f4:
       9c:7c:30:c1:19:6c:56:e1:1c:0c:f2:93:f4:da:e0:8f:12:73:
       02:9e:b7:0f:1f:08:3e:a7:ee:6a:7b:d1:56:c6:1d:8c:4c:b5:
       1c:61:be:09:5c:cf:f0:89:aa:9e:b3:0b:01:3b:7b:03:45:74:
       4e:a9
        -----BEGIN CERTIFICATE REQUEST-----
        MIICEzCCAXwCAQAwZjEVMBMGA1UEAwwMd3d3LnRlc3QuY29tMRQwEgYDVQQHDAtN
        eV9Mb2NhbGl0eTEQMA4GA1UECwwHTXlfVW5pdDEYMBYGA1UECgwPTXlfT3JnYW5p
        emF0aW9uMQswCQYDVQQGEwJBUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
        u1QdTsIbYogZgXZOU1o7IP7QNx7syxVPjhxYVzG+TThvmXmBo1aL9sMrIVnETr7I
        kZteMktDp4IXeio83Dtccq8i12Ct3VAAxYx9U/r9r2wScStMCvda0GWlfUXxAbco
        ysc5IMGqIG/e3G0Y3eGT0tYFMomtVUEih4Lcl66pAJ8CAwEAAaBtMGsGCSqGSIb3
        DQEJDjFeMFwwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwQgYDVR0RBDswOYENcm9v
        dEB0ZXN0LmNvbYIMd3d3LnRlc3QuY29tggx3d3cudGVzdC5uZXSCDHd3dy50ZXN0
        Lm9yZzANBgkqhkiG9w0BAQUFAAOBgQCnfXIhyz/USh6rIE6DIdgO+odfA3H0OEor
        YHY7Ko5ZWqYvcChsceGQTakZm3alsGu/eI5DgQjUc3nFctB5grBWk2BYxjtkffSc
        fDDBGWxW4RwM8pP02uCPEnMCnrcPHwg+p+5qe9FWxh2MTLUcYb4JXM/wiaqeswsB
        O3sDRXROqQ==
        -----END CERTIFICATE REQUEST-----
        nico@nico-laptop:~/openssl/new$

The problem arise when I try to use the request I made before in openca.
I am using OpenCA Server Version 1.0.2.
I use the interface "My certificates" -> "Request a Certificate" ->
"Server Certificate Request (PKCS#10 PEM formatted Request Upload Form)"
to upload my CSR.

When I use the RA Operator interface and open the request I can't see
information about "Subject Alternative Name" field.
The information openca gather from the CSR is:
        Request Version 0 (0x0)
        Serial Number 37152
        Common Name www.test.com
        E-Mail n/a
        Subject Alternative Name n/a
        Role Web Server
        Lifetime (days) n/a
        Not before (YYMMDDhhmmss) n/a
        Not after (YYMMDDhhmmss) n/a
        Lifetime check Lifetime would be ok.
        LOA Low
        Distinguished Name
serialNumber=206,C=AR,O=My_Organization,OU=My_Unit,L=My_Locality,CN=www.test.com
        Submitted on Tue Jul 14 23:20:30 2009 UTC
        Approved on n/a
        Used Identification PIN 25c1cd954c5f9d83bd7b46ecb71c2db0145bc3a8
        Modulus (key size) 1024
        Public Key Algorithm rsaEncryption
        Public Key

        Modulus (1024 bit):
            00:e3:ab:e5:6f:05:76:94:38:59:b1:76:37:d7:d0:
            bc:54:1b:ac:68:b2:89:3f:89:00:ee:12:90:eb:f2:
            50:a4:ba:fe:b4:a7:d5:23:d8:ef:c4:ae:22:d4:53:
            e1:75:70:42:e1:d5:22:99:f2:0a:3f:31:ca:8c:13:
            05:c7:f3:a9:c1:16:18:60:b2:5c:a8:f7:0b:28:fa:
            39:75:30:fe:ba:4b:72:c3:dc:3b:4d:6a:c3:b1:16:
            ab:31:3e:f6:05:f4:b7:eb:5b:4a:6b:a5:f5:36:e2:
            fa:ea:46:33:30:27:39:c6:a1:e9:32:87:4e:06:6b:
            92:af:1b:d2:f3:44:d9:34:e9
        Exponent: 65537 (0x10001)

        Signature Algorithm sha1WithRSAEncryption

What's wrong with this? or How I can do a PKCS#10 with subjectAltName
for openca?

Thanks for reading, any help is very welcome
Nicolas



------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Hi seems you lost a parameter in the command which you used to create the request. In your configuration file, the v3_req will not be used in the default status. You can add a parameter as follow "-extensions v3_req" in your command. i think the configuration file will work well. hopeful the info will help you. thanks

Nicolás Macia wrote:

Hello people, I have a problem when a make a PKCS#10 CSR with openssl and try to use it in openca. This is what I am doing. I have a configuration file (my.cnf): nico@nico-laptop:~/openssl/new$ more my.cnf [ req ] default_bits = 1024 default_md = sha1 default_keyfile = privkey.pem distinguished_name = req_distinguished_name prompt = no req_extensions = v3_req utf8 = yes # automatically added string_mask = utf8only # automatically added [ req_distinguished_name ] commonName = www.test.com localityName = My_Locality organizationalUnitName = My_Unit organizationName = My_Organization countryName = AR [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] email.0 = root@test.com DNS.1 = www.test.com DNS.2 = www.test.net DNS.3 = www.test.org nico@nico-laptop:~/openssl/new$ With this file I create the CSR with the following command: + openssl req -new -nodes -keyout ./priv.key -out ./req.csr -config ./my.cnf + openssl req -out req.pem -in req.csr -config my.cnf This is the output: nico@nico-laptop:~/openssl/new$ openssl req -new -nodes -keyout ./priv.key -out ./req.csr -config ./my.cnf Generating a 1024 bit RSA private key ..................++++++ .............++++++ unable to write 'random state' writing new private key to './priv.key' ----- nico@nico-laptop:~/openssl/new$ nico@nico-laptop:~/openssl/new$ openssl req -out req.pem -in req.csr -config my.cnf nico@nico-laptop:~/openssl/new$ Then I inspect the content of the request and I can see it's all ok: nico@nico-laptop:~/openssl/new$ openssl req -text -in req.pem Certificate Request: Data: Version: 0 (0x0) Subject: CN=www.test.com, L=My_Locality, OU=My_Unit, O=My_Organization, C=AR Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bb:54:1d:4e:c2:1b:62:88:19:81:76:4e:53:5a: 3b:20:fe:d0:37:1e:ec:cb:15:4f:8e:1c:58:57:31: be:4d:38:6f:99:79:81:a3:56:8b:f6:c3:2b:21:59: c4:4e:be:c8:91:9b:5e:32:4b:43:a7:82:17:7a:2a: 3c:dc:3b:5c:72:af:22:d7:60:ad:dd:50:00:c5:8c: 7d:53:fa:fd:af:6c:12:71:2b:4c:0a:f7:5a:d0:65: a5:7d:45:f1:01:b7:28:ca:c7:39:20:c1:aa:20:6f: de:dc:6d:18:dd:e1:93:d2:d6:05:32:89:ad:55:41: 22:87:82:dc:97:ae:a9:00:9f Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: email:root@test.com, DNS:www.test.com, DNS:www.test.net, DNS:www.test.org Signature Algorithm: sha1WithRSAEncryption a7:7d:72:21:cb:3f:d4:4a:1e:ab:20:4e:83:21:d8:0e:fa:87: 5f:03:71:f4:38:4a:2b:60:76:3b:2a:8e:59:5a:a6:2f:70:28: 6c:71:e1:90:4d:a9:19:9b:76:a5:b0:6b:bf:78:8e:43:81:08: d4:73:79:c5:72:d0:79:82:b0:56:93:60:58:c6:3b:64:7d:f4: 9c:7c:30:c1:19:6c:56:e1:1c:0c:f2:93:f4:da:e0:8f:12:73: 02:9e:b7:0f:1f:08:3e:a7:ee:6a:7b:d1:56:c6:1d:8c:4c:b5: 1c:61:be:09:5c:cf:f0:89:aa:9e:b3:0b:01:3b:7b:03:45:74: 4e:a9 -----BEGIN CERTIFICATE REQUEST----- MIICEzCCAXwCAQAwZjEVMBMGA1UEAwwMd3d3LnRlc3QuY29tMRQwEgYDVQQHDAtN eV9Mb2NhbGl0eTEQMA4GA1UECwwHTXlfVW5pdDEYMBYGA1UECgwPTXlfT3JnYW5p emF0aW9uMQswCQYDVQQGEwJBUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA u1QdTsIbYogZgXZOU1o7IP7QNx7syxVPjhxYVzG+TThvmXmBo1aL9sMrIVnETr7I kZteMktDp4IXeio83Dtccq8i12Ct3VAAxYx9U/r9r2wScStMCvda0GWlfUXxAbco ysc5IMGqIG/e3G0Y3eGT0tYFMomtVUEih4Lcl66pAJ8CAwEAAaBtMGsGCSqGSIb3 DQEJDjFeMFwwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwQgYDVR0RBDswOYENcm9v dEB0ZXN0LmNvbYIMd3d3LnRlc3QuY29tggx3d3cudGVzdC5uZXSCDHd3dy50ZXN0 Lm9yZzANBgkqhkiG9w0BAQUFAAOBgQCnfXIhyz/USh6rIE6DIdgO+odfA3H0OEor YHY7Ko5ZWqYvcChsceGQTakZm3alsGu/eI5DgQjUc3nFctB5grBWk2BYxjtkffSc fDDBGWxW4RwM8pP02uCPEnMCnrcPHwg+p+5qe9FWxh2MTLUcYb4JXM/wiaqeswsB O3sDRXROqQ== -----END CERTIFICATE REQUEST----- nico@nico-laptop:~/openssl/new$ The problem arise when I try to use the request I made before in openca. I am using OpenCA Server Version 1.0.2. I use the interface "My certificates" -> "Request a Certificate" -> "Server Certificate Request (PKCS#10 PEM formatted Request Upload Form)" to upload my CSR. When I use the RA Operator interface and open the request I can't see information about "Subject Alternative Name" field. The information openca gather from the CSR is: Request Version 0 (0x0) Serial Number 37152 Common Name www.test.com E-Mail n/a Subject Alternative Name n/a Role Web Server Lifetime (days) n/a Not before (YYMMDDhhmmss) n/a Not after (YYMMDDhhmmss) n/a Lifetime check Lifetime would be ok. LOA Low Distinguished Name serialNumber=206,C=AR,O=My_Organization,OU=My_Unit,L=My_Locality,CN=www.test.com Submitted on Tue Jul 14 23:20:30 2009 UTC Approved on n/a Used Identification PIN 25c1cd954c5f9d83bd7b46ecb71c2db0145bc3a8 Modulus (key size) 1024 Public Key Algorithm rsaEncryption Public Key Modulus (1024 bit): 00:e3:ab:e5:6f:05:76:94:38:59:b1:76:37:d7:d0: bc:54:1b:ac:68:b2:89:3f:89:00:ee:12:90:eb:f2: 50:a4:ba:fe:b4:a7:d5:23:d8:ef:c4:ae:22:d4:53: e1:75:70:42:e1:d5:22:99:f2:0a:3f:31:ca:8c:13: 05:c7:f3:a9:c1:16:18:60:b2:5c:a8:f7:0b:28:fa: 39:75:30:fe:ba:4b:72:c3:dc:3b:4d:6a:c3:b1:16: ab:31:3e:f6:05:f4:b7:eb:5b:4a:6b:a5:f5:36:e2: fa:ea:46:33:30:27:39:c6:a1:e9:32:87:4e:06:6b: 92:af:1b:d2:f3:44:d9:34:e9 Exponent: 65537 (0x10001) Signature Algorithm sha1WithRSAEncryption What's wrong with this? or How I can do a PKCS#10 with subjectAltName for openca? Thanks for reading, any help is very welcome Nicolas ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users