Troubleshooting
Problem
This document provides basic steps to creating a CSR (certificate signing request) with multiple SAN (Subject Alternative Name) entries, by using IBM i OpenSSL (Portable Utilities 5733-SC1).
Additional information about X.509 V3 extension parameters can be found: https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html
Web searches on 'openssl san csr' will provide similar technotes.
IBM Technology Services consulting team can provide custom directives beyond this technote.
IBM Technology Services consulting team can provide custom directives beyond this technote.
Symptom
Environment
Documentation was created based on OpenSSL 1.1.1p 21 Jun 2022.
Additional information and instructions can be found here:
https://www.ibm.com/docs/en/i/7.4?topic=device-portable-utilities-i
https://www.openssl.org/news/openssl-1.1.1-notes.html
https://www.ietf.org/rfc/rfc5280.txt
Diagnosing The Problem
Resolving The Problem
Step 1. Create a SAN template file in the IBMi filesystem.
strqsh
touch -C 819 /home/SAN.cnf
F3 to exit.
Step 2. Populate the SAN.cnf file with directives.
EDTF '/home/SAN.cnf'
Go to the cmd field.
i35, enter, move curser to field under first *.
Paste the below sample text.(you may have to paste in 3 steps after a pgdn)
Change req_distinguished_name and sans values to match your geography and dns.
#The sample configuration file to generate the CSR for a server certificate.
#Based off IBMi /QOpenSys/QIBM/UserData/SC1/OpenSSL/openssl.cnf
#Modify the entries to match your domain & cfgtcp option 12 values.
[ req ]
prompt = no
days = 365
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = AB
stateOrProvinceName = CD
localityName = EFG_HIJ
organizationName = MyOrg
organizationalUnitName = MyOrgUnit
commonName = mycommname.com
emailAddress = emailaddress@myemail.com
[ v3_req ]
basicConstraints = CA:false
extendedKeyUsage = serverAuth
subjectAltName = @sans
[ sans ]
DNS.0 = localhost.mydomain.com
DNS.1 = SystemA.mydomain.com
DNS.2 = SystemA
DNS.3 = TestA
DNS.4 = 172.1.2.3
email.1 = myemail@email.com
Step 3. Enter IBM i PASE environment and create the CSR.
call qp2term
cd /home
openssl req -newkey rsa:2048 -nodes -sha256 -keyout key.pem -out req.csr -config SAN.cnf
Note: To view subject alternative name in the CSR.
openssl req -text -noout -verify -in req.csr | grep 'DNS'
View the CSR for all content.
openssl req -text -noout -verify -in req.csr
Step 4. You must send your .csr file to the Issuer (Certificate Authority). Upon receipt, you will be sent a server/client certificate file (.crt).
Most certificate vendor sites also have a 'CSR Decoder' application, that can review your CSR data before the server certificate is submitted.
Most certificate vendor sites also have a 'CSR Decoder' application, that can review your CSR data before the server certificate is submitted.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CImAAM","label":"OpenSSL OpenSSH"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
25 April 2023
UID
ibm16587931