Topic: Creation of cert with Subject Alternative Names

Is there an example of how to create a certificate that has information in the SAN extension that does not require that the data come from another cert? I need to be able to generate the SAN data in real time and add to a cert.

Also, does wolfSSL support the Directory Names SAN extension?

Share

Re: Creation of cert with Subject Alternative Names

Hi Stoebeljc,

The only other option is setting the alternate names `.altNames` as raw DER. See the example here:
https://github.com/wolfSSL/wolfssl-exam … -alt-names
https://github.com/wolfSSL/wolfssl-exam … mple.c#L68

Thanks,
David Garske, wolfSSL

Share

Re: Creation of cert with Subject Alternative Names

Hello stroebeljc,

Certainly! Here is an example from our repository:
https://github.com/wolfSSL/wolfssl-exam … mple.c#L67

Let us know if there are questions.

Thanks,
Eric @ wolfSSL Support

Re: Creation of cert with Subject Alternative Names

Thanks for the reference to the example.

Is there an easy way to create a Common Name field that's part of a Distinguished Name that I can then use to generate my SANs? As per the example, it's pretty easy to create the DNS names and IP addresses, but creating a DN inside a Directory Name seems a bit more complicated.

Share

Re: Creation of cert with Subject Alternative Names

Hi stroebeljc,

I am not sure what you mean about the DN inside a Directory Name. Can you provide an example of what you are trying to accomplish?

Thanks,
David Garske, wolfSSL

Share

6 (edited by stroebeljc 2022-07-19 07:25:15)

Re: Creation of cert with Subject Alternative Names

DN means Distinguished Name.
Here is an example:

        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name: critical
                DirName:/CN=10112233445566778899aabbccddeeff, DirName:/CN=20112233445566778899aabbccddeeff


I also need to set the Basic Constraint extension, but am not clear on how to do that. Can you provide guidance on this?

Finally, is there a way to set the Subject Alternative Name to critical?

Share

Re: Creation of cert with Subject Alternative Names

Any update on my questions?

Share

Re: Creation of cert with Subject Alternative Names

Hi stroebeljc,

Thank you for sharing the example. The best examples are here:
https://github.com/wolfSSL/wolfssl-exam … er/certgen

I don't see an example for setting DirName, so I am having another engineer research this.

Thanks,
David Garske, wolfSSL

Share

Re: Creation of cert with Subject Alternative Names

Thanks David.
In reviewing your examples I do not see a direct way to set the Basic Constraints extension and to set the SAN to critical. Those are the two issues I still have remaining. I tried using the Custom Extensions example to set the Basic Constraints extension but it broke other things in my code because of --enable-asn=template.

Share

Re: Creation of cert with Subject Alternative Names

Hi stroebeljc,

how are you today? I'm glad to see you have discovered our `--enable-asn=template` flag! You say enabling it made other things break. I'm sorry to hear that.

Can you be more specific?  Can you let us know what broke?

Please send your details to support@wolfssl.com.  That will open up a support ticket and I will personally take ownership of it.

Warm regards, Anthony

Share

Re: Creation of cert with Subject Alternative Names

In the meantime, I will also try to create an example using with custom extensions.
Warm regards, Anthony

Share