|
The Subject Alternative Name (SAN) attribute requires each value to specify its type, since a SAN entry can be any of several formats - DNS name, IP address, email address, URI, and others. Without a type, the SAN value becomes ambiguous and does not comply with the X.509 specification. The examples below show the difference between generating a CSR without and with proper SAN value types.
- Generating the CSR without value type:
- CSR outputs with an OpenSSL utility will include the SAN attribute:
$ openssl req -text -in cst_without_sanType.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = fgt05.fortinet.lab, emailAddress = info@fortinet.lab
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bc:a7:99:e1:d3:da:9f:7f:12:24:5e:54:f6:33:
....
....
37:6b
Exponent: 65537 (0x10001)
Attributes: ///SAN attribute is missing///
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
Solution:
- Generating the CSR with a value type:
- CSR outputs with an OpenSSL utility:
$openssl req -text -in csr_with_SAN_type.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = fgt05.fortinet.lab, emailAddress = info@foritnet.lab
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d1:0a:45:e7:ea:0e:89:9a:e5:9e:5e:f7:0f:66:
...
...
49:67:f1:2f:20:6d:5c:a3:55:cb:b2:b5:0c:49:30:
1a:b5
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:fgt05.fortinet.lab, IP Address:192.168.0.2
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
Related articles:
Technical Tip: Generate CSR via FortiGate CLI
|
