rhn-ssl-tool does not generate certificates with Subject Alternative names

Solution Verified - Updated -

Issue

  • I am attempting to generate new Satellite server certificates using the rhn-ssl-tool with Subject Alternative Names.
  • I can see in the ssl-build/*/rhn-server-openssl.cnf file that the names are there and I can see in the associated server.csr file that names exist:
# openssl req -in server.csr -noout -text
...
            X509v3 Subject Alternative Name: 
                DNS:<name 1>, DNS:<name 2>, DNS:<name 3>, DNS:<name 4>
...
  • However the Subject Alternate names aren't in the server.crt file generated from the server.csr
# openssl x509 -in server.crt -noout -text
...
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                RHN SSL Tool Generated Certificate
            X509v3 Subject Key Identifier: 
              <numbers>
            X509v3 Authority Key Identifier: 
                keyid:<key>
                DirName<dir stuff>
                serial:<serial>
...
  • As a test, when I manually sign the certificate request, I can see the subject alternative name in the certificate output, so why isn't this information in the certs generated by rhn-ssl-tool?

Environment

  • Red Hat Satellite or Proxy 5.6
  • spacewalk-certs-tools-2.0.1-2

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content