Questions[csr](server)

How can I add a Subject Alternate Name when signing a certificate request using OpenSSL (in Windows if that matters)?

I've generated a basic certificate signing request (CSR) from the IIS interface. Now, I'd like to add several subject alternate names, sign it with an existing root certificate, and return the certificate to complete the signing request.

Every tutorial I could find involves generating a new private key and a brand new CSR, however I was under the impression that the private key resides on the requesting computer (which I wouldn't necessarily have access to). I just want to sign the request while adding the alternate names. I'm relatively new to OpenSSL and CA topics so this may be a misunderstanding on my part.

I've generated a self certified SSL cert for testing a new web site. The time has come for the site to go live and I now want to purchase a cert from GeoTrust. Can I use the same CSR that I generated for the self cert, or do I need to create a new one?

Rich

I'm setting up SSL on an Ubuntu server. One of fields it asks for as part of setting up the CSR is a "challenge password". What is that? The default is blank. Do I need to enter one?

Can any one tell me how I an add a number of Subject Alternate Names to an existing CSR?

I'm not talking about generating a CSR with SANs or adding SANs at signing time - I know how to do both of these things.

Background: The problem we have is that HP blade chassis, allow you to generate CSRs, but they only allow a single SAN. We can't use a CSR generated elsewhere as we could not use the resultant cert as there is no way (that I can find) to upload the key to the blade chassis.

Our CA's standard process does not allow for adding SANs are signing time. They are willing to experiment, however I am trying to find a solution at our end as this will mean we won't have to rely on them having a non standard process for us - in my experience if they need to use a non standard process life will eventually get difficult. E.g. when a staff member who knows the non standard process is not present due to leave etc.

Current method is to connect to the bladechassis onboard admin via the web gui and generate the CSR with a single CN.

The web gui only allows for a single SAN in the CSR.

Then we self sign it with the following stanza in the openssl config:

[ v3_ca ]
subjectAltName = "DNS:bladesystem8,DNS:bladesystem8.services.adelaide.edu.au,DNS:bladesystem8-backup,DNS:bladesystem8-backup.services.adelaide.edu.au"

The resultant cert has the extra SANs.

I am trying to script a solution to automatically submit Base64 CSRs to a Microsoft Certificate Services CA, but keep getting tripped up.

My understanding is that all I should need to specify is a Certificate Template & CSR File and it will spit out a Certificate.

The CSR is for

CN=myserver.ilo.domain.local, OU=ISS, O=Hewlett-Packard Company, L=Houston, ST=Texas, C=US

Which is a HP iLO3 device

certreq -Submit -attrib "CertificateTemplate:Webserver" infile.csr outfile.cer

Running this command however results in:

Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13)

Using the web interface for MSCS http://certsvr/certsrv and going through the advanced settings (to set Web Server Certificate) allows me to submit a certificate Request just fine.

Does anyone know where I may be going wrong with certreq?