Linux Notes: OpenSSL-2025
- The information presented here is intended for educational use by qualified computer technologists.
- The information presented here is provided free of charge, as-is, with no warranty of any kind.
=========================================================================================
title : /home/neil/ssl-work-bench/aaa_ssl_cert_help_2025.txt
author : Neil Rieck
created: 2025-03-31
edit : 2025-04-07
notes :
1) In March of 2025, CGI said we must now must provide a populated SAN area in the CSR
(rather than just pasting a list of alternative hosts into a second textbox of the
Certificate Request tool found MTW (my-telecom-warehouse))
2) Internet experts say to not do the following hack (so perhaps CGI's request is an
Interociter intelligence test?)
3) UPDATE: the signed certificate delivered on 2025-04-03 appears complete, so doing a
CSR this way is definitely the recommended new method
stanzas:
1) legacy vanilla method (<=2024) for reference
2) new vanilla method ( >2025)
3) new real method (my initial 2025 hack)
4) screen shots
5) reference data (from the web)
=========================================================================================
------------------------------------------------------------------------------- init
1) legacy vanilla method (2024 and earlier)
NOTE: vanilla demos here employ ccyymmdd rather than a real date stamp
------------------------------------------------------------------------------- start
1) $ openssl genrsa -out kawc96_ccyymmdd.key 2048
2) $ openssl req -new -key kawc96_ccyymmdd.key -out kawc96_ccyymmdd.csr
3) $ openssl req -noout -text -in kawc96_ccyymmdd.csr
4) $ cat kawc96_ccyymmdd.csr
# copy/paste this ASCII dump into the vendor window)
5) # wait for the vendor to send you the certificate
6) $ openssl x509 -text -noout -in kawc96_ccyymmdd.crt
# inspect/test signed cert from vendor
# do not install this cert if you see any problems (like missing SAN info)
------------------------------------------------------------------------------- stop
------------------------------------------------------------------------------- init
2) new vanilla method (2025 and later)
NOTE: vanilla demos here employ ccyymmdd rather than a real date stamp
see stanza-3 below to learn how to create file 'openssl-kawc96.cnf'
------------------------------------------------------------------------------- start
1) $ openssl genrsa -out kawc96_ccyymmdd.key 2048
2) $ openssl req -new -key kawc96_ccyymmdd.key -out kawc96_ccyymmdd.csr -config openssl-kawc96.cnf
3) $ openssl req -noout -text -in kawc96_ccyymmdd.csr
4) $ cat kawc96_ccyymmdd.csr
# copy/paste this to the vendor
5) # wait for the vendor to send you the certificate
6) # inspect/test signed cert from vendor
$ openssl x509 -text -noout -in kawc96_ccyymmdd.crt
# do not install this cert if you see any problems (like missing SAN info)
------------------------------------------------------------------------------- stop
------------------------------------------------------------------------------- init
3) new real method (my initial 2025 hack)
NOTES:
a) real demos here employ a real date stamp rather than ccyymmdd
b) step-0 (prep work) only needs to be done once
c) modify file "openssl-kawc96.cnf" if SAN is changing
------------------------------------------------------------------------------- start
0) ############################################## prep work (only do this once)
mkdir /home/neil/ssl-work-bench
cd /home/neil/ssl-work-bench
cp -p /etc/pki/tls/openssl.cnf /home/neil/ssl-work-bench/openssl-original.cnf
cp /etc/pki/tls/openssl.cnf /home/neil/ssl-work-bench/openssl-kawc96.cnf
vi openssl-kawc96.cnf
# Now add the 'req_extensions' line to then end of stanza [ req ]
distinguished_name = req_distinguished_name
req_extensions = req_ext
# Now add the following 17 lines to the end (blank lines delimit a stanza)
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS = kawc96.on.bell.ca
DNS.1 = ats.on.bell.ca
DNS.2 = kawc09.on.bell.ca
DNS.3 = kawc4n.on.bell.ca
DNS.4 = kawc0f.on.bell.ca
DNS.5 = kawc0u.on.bell.ca
DNS.6 = kawc3v.on.bell.ca
DNS.7 = kawc4l.on.bell.ca
DNS.8 = kawc4m.on.bell.ca
DNS.9 = kawc4n.on.bell.ca
DNS.10 = bfdc0d.on.bell.ca
DNS.11 = bfdc0e.on.bell.ca
------- do not include this line
1) ############################################## generate a key file
openssl genrsa -out kawc96_ccyymmdd.key 2048
2) ############################################## generate a CSR
openssl req -new -key kawc96_ccyymmdd.key -out kawc96_ccyymmdd.csr -config openssl-kawc96.cnf
3) ############################################## view CSR
openssl req -noout -text -in kawc96_ccyymmdd.csr
4) ############################################## produce ascii dump for copy/paste to vendor
cat kawc96_ccyymmdd.csr
5) ############################################## view the signed certificate
openssl x509 -text -noout -in kawc96_ccyymmdd.crt
# do not install this cert if you see any problems (like missing SAN info)
------------------------------------------------------------------------------- stop
------------------------------------------------------------------------------- init
4) screen shots
------------------------------------------------------------------------------- start
####################################### generate key
$ cd /home/neil/ssl-work-bench
$ openssl genrsa -out kawc96_ccyymmdd.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.............+++++
....................................+++++
e is 65537 (0x010001)
$
####################################### generate csr (using local config file)
$ openssl req -new -key kawc96_ccyymmdd.key -out kawc96_ccyymmdd.csr -config openssl-kawc96.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Kitchener
Organization Name (eg, company) [Default Company Ltd]:Bell Canada
Organizational Unit Name (eg, section) []:Bell-ATS
Common Name (eg, your name or your server's hostname) []:kawc96.on.bell.ca
Email Address []:neil.rieck@bell.ca
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$
####################################### view csr
$ openssl req -noout -text -in kawc96_ccyymmdd.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = CA, ST = Ontario, L = Kitchener, O = Bell Canada, OU = Bell-ATS,
CN = kawc96.on.bell.ca, emailAddress = neil.rieck@bell.ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:98:21:83:53:0d:23:22:c8:cb:62:11:7e:a3:e2:
08:96:0f:ae:0c:85:6a:d9:d4:83:2d:0b:34:1a:91:
be:d1:3f:18:ea:08:86:03:69:ec:51:3d:e4:42:ce:
46:3d:e4:a8:1d:d3:6b:76:43:7d:35:b9:41:04:5e:
2c:74:f0:b5:cf:97:35:b7:cb:c0:e9:23:b1:8e:6a:
56:31:14:2a:d7:b3:f2:65:7d:ae:57:87:f6:f2:a6:
c5:48:fc:b3:f1:fb:7b:a1:35:02:74:a7:a2:e5:4d:
ee:6c:85:f2:61:2d:44:29:4c:8c:a9:65:b9:a9:01:
6f:78:68:e6:26:0c:58:65:ba:3d:04:d6:93:68:fa:
b8:91:b2:4a:e7:a4:89:db:af:f9:87:f8:a1:dd:f4:
72:16:1b:8e:f2:dd:69:57:5a:1e:f0:25:82:1b:ac:
fc:ae:ae:00:48:23:51:69:14:7d:52:58:67:8d:5e:
95:15:da:1f:05:31:43:2b:42:64:96:d8:b1:79:b9:
4c:6c:ba:71:1d:12:24:b5:26:ce:86:d8:f6:4e:67:
59:7a:4c:79:55:2e:14:2f:4d:e8:a0:3d:ce:f8:ba:
dd:02:83:2a:c3:25:75:95:78:1e:3f:aa:16:6e:e5:
69:4f:fc:b6:0c:46:c8:a8:53:8b:c3:e8:59:61:81:
a9:af
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:kawc96.on.bell.ca, DNS:ats.on.bell.ca, DNS:kawc09.on.bell.ca,
DNS:kawc4n.on.bell.ca, DNS:kawc0f.on.bell.ca, DNS:kawc0u.on.bell.ca,
DNS:kawc3v.on.bell.ca, DNS:kawc4l.on.bell.ca, DNS:kawc4m.on.bell.ca,
DNS:kawc4n.on.bell.ca, DNS:bfdc0d.on.bell.ca, DNS:bfdc0e.on.bell.ca
Signature Algorithm: sha256WithRSAEncryption
5c:01:b2:e2:47:d9:39:5f:94:e0:a7:8b:5d:fd:7d:e1:20:02:
eb:a2:18:9b:6f:91:bd:02:09:b0:a0:ec:dd:cc:df:95:d0:c1:
f7:08:6a:2c:de:ea:76:8e:a7:10:99:84:6e:ba:9a:7d:2a:0f:
44:99:bb:b5:38:42:cb:19:68:ce:41:e5:38:51:7f:f7:b0:7a:
07:fb:28:10:ad:82:42:97:73:3f:e0:69:21:11:69:fb:17:4b:
b1:83:f0:4c:b3:be:a1:79:75:c2:ef:b3:14:56:1b:cb:0e:8d:
36:1b:fa:7a:59:95:51:65:95:56:1f:b6:82:32:8c:0d:43:88:
58:b7:08:23:e3:15:41:b6:66:a6:e0:68:c8:02:d6:11:75:e3:
24:7a:a3:57:09:23:58:04:de:78:52:08:f7:95:92:a4:75:5c:
1d:f6:5d:6f:a3:1d:de:80:fc:2c:50:77:15:25:e3:27:c2:1b:
af:40:83:b8:91:0d:c1:bf:71:3e:51:8d:3e:38:4c:a3:e2:30:
e7:13:2c:44:68:42:d5:bf:7c:22:ae:92:71:ae:71:70:62:71:
de:30:a1:ac:bf:d1:33:64:75:7b:e7:d0:d8:09:52:02:56:d3:
ff:7b:dd:64:a9:bb:93:38:29:4a:7a:89:d9:5a:24:06:cc:17:
f5:ba:f6:e6
[neil@kawc4n ssl-work-bench]$
####################################### dump csr for copy/paste
[neil@kawc4n ssl-work-bench]$ cat kawc96_ccyymmdd.csr
-----BEGIN CERTIFICATE REQUEST-----
MIID5zCCAs8CAQAwgZsxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMRIw
EAYDVQQHDAlLaXRjaGVuZXIxFDASBgNVBAoMC0JlbGwgQ2FuYWRhMREwDwYDVQQL
DAhCZWxsLUFUUzEaMBgGA1UEAwwRa2F3Yzk2Lm9uLmJlbGwuY2ExITAfBgkqhkiG
9w0BCQEWEm5laWwucmllY2tAYmVsbC5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAJghg1MNIyLIy2IRfqPiCJYPrgyFatnUgy0LNBqRvtE/GOoIhgNp
7FE95ELORj3kqB3Ta3ZDfTW5QQReLHTwtc+XNbfLwOkjsY5qVjEUKtez8mV9rleH
9vKmxUj8s/H7e6E1AnSnouVN7myF8mEtRClMjKlluakBb3ho5iYMWGW6PQTWk2j6
uJGySuekiduv+Yf4od30chYbjvLdaVdaHvAlghus/K6uAEgjUWkUfVJYZ41elRXa
HwUxQytCZJbYsXm5TGy6cR0SJLUmzobY9k5nWXpMeVUuFC9N6KA9zvi63QKDKsMl
dZV4Hj+qFm7laU/8tgxGyKhTi8PoWWGBqa8CAwEAAaCCAQQwggEABgkqhkiG9w0B
CQ4xgfIwge8wgewGA1UdEQSB5DCB4YIRa2F3Yzk2Lm9uLmJlbGwuY2GCDmF0cy5v
bi5iZWxsLmNhghFrYXdjMDkub24uYmVsbC5jYYIRa2F3YzRuLm9uLmJlbGwuY2GC
EWthd2MwZi5vbi5iZWxsLmNhghFrYXdjMHUub24uYmVsbC5jYYIRa2F3YzN2Lm9u
LmJlbGwuY2GCEWthd2M0bC5vbi5iZWxsLmNhghFrYXdjNG0ub24uYmVsbC5jYYIR
a2F3YzRuLm9uLmJlbGwuY2GCEWJmZGMwZC5vbi5iZWxsLmNhghFiZmRjMGUub24u
YmVsbC5jYTANBgkqhkiG9w0BAQsFAAOCAQEAXAGy4kfZOV+U4KeLXf194SAC66IY
m2+RvQIJsKDs3czfldDB9whqLN7qdo6nEJmEbrqafSoPRJm7tThCyxlozkHlOFF/
97B6B/soEK2CQpdzP+BpIRFp+xdLsYPwTLO+oXl1wu+zFFYbyw6NNhv6elmVUWWV
Vh+2gjKMDUOIWLcII+MVQbZmpuBoyALWEXXjJHqjVwkjWATeeFII95WSpHVcHfZd
b6Md3oD8LFB3FSXjJ8Ibr0CDuJENwb9xPlGNPjhMo+Iw5xMsRGhC1b98Iq6Sca5x
cGJx3jChrL/RM2R1e+fQ2AlSAlbT/3vdZKm7kzgpSnqJ2VokBswX9br25g==
-----END CERTIFICATE REQUEST-----
[neil@kawc4n ssl-work-bench]$
------------------------------------------------------------------------------- stop
------------------------------------------------------------------------------- init
4) reference
------------------------------------------------------------------------------- start
1) create key file 'acme.com.cnf' like so:
openssl genrsa -out acme.com.key 2048
-----------------------------------------------------------
2) create config file 'acme.com.cnf' containing this:
[ req ]
default_bits = 2048
encrypt_key = no
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Ile-de-France
localityName = PARIS LA DEFENSE
organizationName = ACME GROUPE
organizationalUnitName = IS Services
commonName = acme.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = acme.com
DNS.2 = subdomain.acme.com
DNS.3 = another.acme.com
-----------------------------------------------------------
3) create csr file 'acme.com.csr' like so:
openssl req -new -sha256 -out acme.com.csr -key acme.com.key -config acme.com.cnf
-----------------------------------------------------------
4) config file notes:
1) these two entries in stanza "[ req ]" point elsewhere. If you did not do
this, then anything else tacked onto the end of this file is ignored.
distinguished_name = req_distinguished_name
req_extensions = req_ext
2) in the original version of stanza "[ req_distinguished_name ]" the CLI can,
and will, prompt for keyboard input.
------------------------------------------------------------------------------- stop
=============================================================================== no more
Back to HomeNeil Rieck
Waterloo, Ontario, Canada.