How do I add multiple email addresses to an SSL certificate via the command line?
I know that by adding/modifying the SubjectAltName entry in openssl.cnf this can be achieved, but is there a way to do so without having to modify that file every time?
openssl ssl certificates
edited 1 hour ago
Peter Mortensen
87358
asked Jan 31 '13 at 9:15
Tobias Kienzler
4,276104588
add a comment |
I know that by adding/modifying the SubjectAltName entry in openssl.cnf this can be achieved, but is there a way to do so without having to modify that file every time?
openssl ssl certificates
edited 1 hour ago
Peter Mortensen
87358
asked Jan 31 '13 at 9:15
Tobias Kienzler
4,276104588
add a comment |
I know that by adding/modifying the SubjectAltName entry in openssl.cnf this can be achieved, but is there a way to do so without having to modify that file every time?
openssl ssl certificates
edited 1 hour ago
Peter Mortensen
87358
asked Jan 31 '13 at 9:15
Tobias Kienzler
4,276104588
I know that by adding/modifying the SubjectAltName entry in openssl.cnf this can be achieved, but is there a way to do so without having to modify that file every time?
openssl ssl certificates
openssl ssl certificates
edited 1 hour ago
Peter Mortensen
87358
asked Jan 31 '13 at 9:15
Tobias Kienzler
4,276104588
edited 1 hour ago
Peter Mortensen
87358
asked Jan 31 '13 at 9:15
Tobias Kienzler
4,276104588
edited 1 hour ago
Peter Mortensen
87358
edited 1 hour ago
Peter Mortensen
87358
edited 1 hour ago
Peter Mortensen
87358
87358
asked Jan 31 '13 at 9:15
Tobias Kienzler
4,276104588
asked Jan 31 '13 at 9:15
Tobias Kienzler
4,276104588
asked Jan 31 '13 at 9:15
Tobias Kienzler
4,276104588
4,276104588
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
You don't have to mess around with the openssl.cnf file in any way.
The following command demonstrates how to generate a self-signed certificate with SAN for the email nobody@example.com:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes
-keyout example.key -out example.crt -subj '/CN=Nobody'
-extensions san
-config <(echo '[req]'; echo 'distinguished_name=req';
echo '[san]'; echo 'subjectAltName=email:nobody@example.com')
The trick here is to include a minimal [req] section that is good enough for OpenSSL to get along without its main openssl.cnf file.
In OpenSSL ≥ 1.1.1, this can be shortened to:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes
-keyout example.key -out example.crt -subj '/CN=Nobody'
-addext 'subjectAltName=email:nobody@example.com'
Here we are using the new -addext option, so we don't need -extensions and -config anymore.
Don't forget to verify the contents of the generated certificate:
openssl x509 -noout -text -in example.crt
See also: https://security.stackexchange.com/a/198409/133603 and https://stackoverflow.com/a/41366949/19163
answered Dec 28 '16 at 17:48
vog
16614
add a comment |
In openssl.cnf at the top add the entry SAN = "email:copy" (to have a default value in case the environment variable SAN is not set) and in the respective section use SubjectAltName = ${ENV::SAN}. Now just call SAN="email:copy, email:adress@two" openssl ..., where email:copy makes sure the main address is used as well. (Adapted from here)
answered Jan 31 '13 at 11:17
Tobias Kienzler
4,276104588
note to self: If your only access is via SSH, make sure youropenssl.confis valid. The simplest check is trying to establish a second connection (orscpsomething) without cutting the first one
– Tobias Kienzler
Mar 12 '13 at 13:26
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f63209%2fhow-do-i-add-multiple-email-addresses-to-an-ssl-certificate-via-the-command-line%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You don't have to mess around with the openssl.cnf file in any way.
The following command demonstrates how to generate a self-signed certificate with SAN for the email nobody@example.com:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes
-keyout example.key -out example.crt -subj '/CN=Nobody'
-extensions san
-config <(echo '[req]'; echo 'distinguished_name=req';
echo '[san]'; echo 'subjectAltName=email:nobody@example.com')
The trick here is to include a minimal [req] section that is good enough for OpenSSL to get along without its main openssl.cnf file.
In OpenSSL ≥ 1.1.1, this can be shortened to:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes
-keyout example.key -out example.crt -subj '/CN=Nobody'
-addext 'subjectAltName=email:nobody@example.com'
Here we are using the new -addext option, so we don't need -extensions and -config anymore.
Don't forget to verify the contents of the generated certificate:
openssl x509 -noout -text -in example.crt
See also: https://security.stackexchange.com/a/198409/133603 and https://stackoverflow.com/a/41366949/19163
answered Dec 28 '16 at 17:48
vog
16614
add a comment |
You don't have to mess around with the openssl.cnf file in any way.
The following command demonstrates how to generate a self-signed certificate with SAN for the email nobody@example.com:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes
-keyout example.key -out example.crt -subj '/CN=Nobody'
-extensions san
-config <(echo '[req]'; echo 'distinguished_name=req';
echo '[san]'; echo 'subjectAltName=email:nobody@example.com')
The trick here is to include a minimal [req] section that is good enough for OpenSSL to get along without its main openssl.cnf file.
In OpenSSL ≥ 1.1.1, this can be shortened to:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes
-keyout example.key -out example.crt -subj '/CN=Nobody'
-addext 'subjectAltName=email:nobody@example.com'
Here we are using the new -addext option, so we don't need -extensions and -config anymore.
Don't forget to verify the contents of the generated certificate:
openssl x509 -noout -text -in example.crt
See also: https://security.stackexchange.com/a/198409/133603 and https://stackoverflow.com/a/41366949/19163
answered Dec 28 '16 at 17:48
vog
16614
add a comment |
You don't have to mess around with the openssl.cnf file in any way.
The following command demonstrates how to generate a self-signed certificate with SAN for the email nobody@example.com:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes
-keyout example.key -out example.crt -subj '/CN=Nobody'
-extensions san
-config <(echo '[req]'; echo 'distinguished_name=req';
echo '[san]'; echo 'subjectAltName=email:nobody@example.com')
The trick here is to include a minimal [req] section that is good enough for OpenSSL to get along without its main openssl.cnf file.
In OpenSSL ≥ 1.1.1, this can be shortened to:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes
-keyout example.key -out example.crt -subj '/CN=Nobody'
-addext 'subjectAltName=email:nobody@example.com'
Here we are using the new -addext option, so we don't need -extensions and -config anymore.
Don't forget to verify the contents of the generated certificate:
openssl x509 -noout -text -in example.crt
See also: https://security.stackexchange.com/a/198409/133603 and https://stackoverflow.com/a/41366949/19163
answered Dec 28 '16 at 17:48
vog
16614
You don't have to mess around with the openssl.cnf file in any way.
The following command demonstrates how to generate a self-signed certificate with SAN for the email nobody@example.com:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes
-keyout example.key -out example.crt -subj '/CN=Nobody'
-extensions san
-config <(echo '[req]'; echo 'distinguished_name=req';
echo '[san]'; echo 'subjectAltName=email:nobody@example.com')
The trick here is to include a minimal [req] section that is good enough for OpenSSL to get along without its main openssl.cnf file.
In OpenSSL ≥ 1.1.1, this can be shortened to:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes
-keyout example.key -out example.crt -subj '/CN=Nobody'
-addext 'subjectAltName=email:nobody@example.com'
Here we are using the new -addext option, so we don't need -extensions and -config anymore.
Don't forget to verify the contents of the generated certificate:
openssl x509 -noout -text -in example.crt
See also: https://security.stackexchange.com/a/198409/133603 and https://stackoverflow.com/a/41366949/19163
answered Dec 28 '16 at 17:48
vog
16614
edited Nov 26 at 10:06
answered Dec 28 '16 at 17:48
vog
16614
answered Dec 28 '16 at 17:48
vog
16614
answered Dec 28 '16 at 17:48
vog
16614
16614
add a comment |
add a comment |
In openssl.cnf at the top add the entry SAN = "email:copy" (to have a default value in case the environment variable SAN is not set) and in the respective section use SubjectAltName = ${ENV::SAN}. Now just call SAN="email:copy, email:adress@two" openssl ..., where email:copy makes sure the main address is used as well. (Adapted from here)
answered Jan 31 '13 at 11:17
Tobias Kienzler
4,276104588
note to self: If your only access is via SSH, make sure youropenssl.confis valid. The simplest check is trying to establish a second connection (orscpsomething) without cutting the first one
– Tobias Kienzler
Mar 12 '13 at 13:26
add a comment |
In openssl.cnf at the top add the entry SAN = "email:copy" (to have a default value in case the environment variable SAN is not set) and in the respective section use SubjectAltName = ${ENV::SAN}. Now just call SAN="email:copy, email:adress@two" openssl ..., where email:copy makes sure the main address is used as well. (Adapted from here)
answered Jan 31 '13 at 11:17
Tobias Kienzler
4,276104588
note to self: If your only access is via SSH, make sure youropenssl.confis valid. The simplest check is trying to establish a second connection (orscpsomething) without cutting the first one
– Tobias Kienzler
Mar 12 '13 at 13:26
add a comment |
In openssl.cnf at the top add the entry SAN = "email:copy" (to have a default value in case the environment variable SAN is not set) and in the respective section use SubjectAltName = ${ENV::SAN}. Now just call SAN="email:copy, email:adress@two" openssl ..., where email:copy makes sure the main address is used as well. (Adapted from here)
answered Jan 31 '13 at 11:17
Tobias Kienzler
4,276104588
In openssl.cnf at the top add the entry SAN = "email:copy" (to have a default value in case the environment variable SAN is not set) and in the respective section use SubjectAltName = ${ENV::SAN}. Now just call SAN="email:copy, email:adress@two" openssl ..., where email:copy makes sure the main address is used as well. (Adapted from here)
answered Jan 31 '13 at 11:17
Tobias Kienzler
4,276104588
edited Jan 31 '13 at 11:41
answered Jan 31 '13 at 11:17
Tobias Kienzler
4,276104588
answered Jan 31 '13 at 11:17
Tobias Kienzler
4,276104588
answered Jan 31 '13 at 11:17
Tobias Kienzler
4,276104588
4,276104588
note to self: If your only access is via SSH, make sure youropenssl.confis valid. The simplest check is trying to establish a second connection (orscpsomething) without cutting the first one
– Tobias Kienzler
Mar 12 '13 at 13:26
add a comment |
note to self: If your only access is via SSH, make sure youropenssl.confis valid. The simplest check is trying to establish a second connection (orscpsomething) without cutting the first one
– Tobias Kienzler
Mar 12 '13 at 13:26
note to self: If your only access is via SSH, make sure your
openssl.conf is valid. The simplest check is trying to establish a second connection (or scp something) without cutting the first one– Tobias Kienzler
Mar 12 '13 at 13:26
note to self: If your only access is via SSH, make sure your
openssl.conf is valid. The simplest check is trying to establish a second connection (or scp something) without cutting the first one– Tobias Kienzler
Mar 12 '13 at 13:26
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f63209%2fhow-do-i-add-multiple-email-addresses-to-an-ssl-certificate-via-the-command-line%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
