# OpenSSL and certificates with multiple host names

## VinzC

Hi.

I'd like to know if there's a way to invoke openssl to generate SSL host certificates so that all the alternate names are passed on the command line, eventually retrieved from a unique configuration file using environment variables...

This is actually the section that buzzes me:

```
[ v3_req ]

subjectAltName          = @alt_names

[alt_names]

DNS.1   = www.foo.com

DNS.2   = www.foo.org
```

I still haven't found how to put multiple names on the command line and retrieve them from a template configuration file.

Thanks for any hint/suggestion.

----------

## chiefbag

I would think the only way is to script this externally to loop through the process taking the fqdn from a text file.

What you are attempting to do is edit the config file for openssl.

This file is used by openssl to load default parameters depending on the command issued, what you are attempting to do will not work in my opinion.

----------

## Hu

Have you considered using certtool from net-libs/gnutls instead of openssl ca?  It can generate certificates from the command line or based on template files.

----------

## VinzC

 *Hu wrote:*   

> Have you considered using certtool from net-libs/gnutls instead of openssl ca?  It can generate certificates from the command line or based on template files.

 

Hey! Thanks, Hu! I did not know of that. Fact is all examples I saw were using openssl. Do you have any example? I'll google for that too but just to make sure I don't miss anything...

Thanks again.

----------

## Hu

info certtool has several usage examples, though I do not recall if they cover doing exactly what you want here.

----------

## VinzC

 *Hu wrote:*   

> info certtool has several usage examples, though I do not recall if they cover doing exactly what you want here.

 

Yes, I could figure that out. There's also gnutls man page on the web.

The one thing I was looking for is the ability to include a configuration file into another but it looks like neither are able to do that. The reason is there is a large common part and only a few lines that differ between server certificate configs (e.g. the alternate DNS lines). Now certtool looks more «intuitive» than openssl. But it's just my opinion.

I have one question though: is it possible to reuse my SSH private key to generate an SSL client certificate for TLS authentication? I'm asking because I have one and it looks like it's not stored in a format that is recognized by certtool.

----------

## Hu

You could keep one file with the common settings and another with the specific settings, then concatenate them into a single temporary template.  Depending on how certtool expects to access the file, you might be able to feed it the combined file over a pipe, in which case you could do cat common specific | certtool arguments.

Sorry, I cannot help with the SSH key question.  I prefer to have separate private keys for each service.

----------

## VinzC

Thanks Hu. I'll definitely look through this.

For now I'm struggling with Micro**** certificate services to have our root CA generate a root CA for the web server. So far I haven't been able to:

- have IIS certification services generate a root CA certif' for my web site (IIS svc doesn't recognize the format)

- use the root CA from IIS and extract the private key (certtool doesn't recognize the certificate format #P12 that I backed up)

Kinda stuck therefore.

*shrugs*

----------

## VinzC

I found some hints:Creating a sub-certificate authority

Transferring An Apache SSL Certificate Across Multiple Servers - Works!The latter involves exporting IIS root certificate (hence with the private key embedded), which I am not quite fond of... Currently evaluating both possibilities. Stay tuned!

----------

## VinzC

Allo, Huston, I have a problem!  :Very Happy: 

I've been battling with certtool and client certificates for a while and I can't seem to succeed in importing them into Firefox, MSIE, and Seamonkey. While creating a sub-authority and a server certificate works neatly, none of the client certificates I want to create can be imported in any browser. With Seamonkey and Firefox I get an error message «The PKCS #12 operation failed for unknown reasons»! Get over it! MSIE doesn't even recognize my password and pretends it doesn't match... Nevermind.

Here's the reference I used to create my certificates. I first tried generating my client certificate using my sub-CA certificate and then I tried the examples in that tutorial, word upon word. The import of the p12 file fails in Firefox and Seamonkey.

Has anyone else succeeded in importing client certificates generated with certtool into one of these browsers?

Thanks a lot in advance.

Amen.

----------

