Can any one tell me how I an add a number of Subject Alternate Names to an existing CSR?
I'm not talking about generating a CSR with SANs or adding SANs at signing time - I know how to do both of these things.
Background: The problem we have is that HP blade chassis, allow you to generate CSRs, but they only allow a single SAN. We can't use a CSR generated elsewhere as we could not use the resultant cert as there is no way (that I can find) to upload the key to the blade chassis.
Our CA's standard process does not allow for adding SANs are signing time. They are willing to experiment, however I am trying to find a solution at our end as this will mean we won't have to rely on them having a non standard process for us - in my experience if they need to use a non standard process life will eventually get difficult. E.g. when a staff member who knows the non standard process is not present due to leave etc.
Current method is to connect to the bladechassis onboard admin via the web gui and generate the CSR with a single CN.
The web gui only allows for a single SAN in the CSR.
Then we self sign it with the following stanza in the openssl config:
[ v3_ca ]
subjectAltName = "DNS:bladesystem8,DNS:bladesystem8.services.adelaide.edu.au,DNS:bladesystem8-backup,DNS:bladesystem8-backup.services.adelaide.edu.au"
The resultant cert has the extra SANs.
If your chassis doesn't support adding SANs, you'll need to get the key off the chassis and generate the CSR with openssl.
Make sure
req_extensions = v3_reqis uncommented in the[ req ]section.Add the
subjectAltNameto the[ v3_req ]section.Generate a new CSR.
You cannot edit an existing CSR.
While cakemox's answer is definitely the easiest if you can somehow get a copy of the private key, there's another way if you can't by basically re-signing the CSR using an "Enrollment Agent" certificate.
This blog post has all of the nitty gritty details. But the high level overview of the process looks like this:
When I tried this personally, I'm pretty sure I skipped the part about modifying the certificate template. Presuming you can generate an Enrollment Agent cert for yourself, the actual process looks something like this.
Create a san.inf with the SAN extension info in it
Re-sign the request
Submit the corrected request
And then proceed as normal with the issuance process.
Important note: All of this is somewhat speculative, so if you're deep in the code and it doesn't agree with what I'm saying, believe the code. I'm not a CA expert, I just play one on TV. That said:
As a feature of CSRs, it'll be tough. The final step in generating a CSR programmatically is to hash everything you've created, and then sign it with the private key. So, while you could add those attributes to the text of the CSR, the the signature wouldn't match up with the contents, so no CA would sign it.
In your case, though, you control (or are at least in contact with) the CA. This gives you two options:
Of these, #1 seems by far the easiest. You'll need to break the tamper-evident seal on OpenSSL to get it to do this, but it has some functions that should make quite a bit easier. I'd start with asn1parse, which will show you how to break apart the CSR.