ssl,openssl,ssl-certificate , Subject Alternative Name not present in certificate

Subject Alternative Name not present in certificate


Tag: ssl,openssl,ssl-certificate

I have generated a CSR that includes the field subject alt names:

openssl req -out mycsr.pem -new -key mykey.pem -days 365

When I inspect this it looks as expected with a new field present:

X509v3 Subject Alternative Name:
    DNS: my.alt.dns

However when I use this to sign a certificate that field is omitted for some reason.

I generate it with the following command:

openssl ca -out mycert.pem -infiles mycsr.pem

Can it be that my CA cert have to include the same Alt name for it to be included?


You can use:

copy_extensions = copy 

under your CA_default section in your openssl.cnf.

but only when you're sure that you can trust the extensions in the CSR as pointed out in this thread:

See also: How can I generate a self-signed certificate with SubjectAltName using OpenSSL?


Get RSA keys in a “simple” form

How can I get keys generated by OpenSSL in RAW form? I mean I can't decode my encoded messages in any of online tools. What actions should I do to distribute my keys to other clients (in other apps and web-apps) in proper forms? My generation code is: void VS_CarrierNet::generateKeys()...

Self-signed Certificate and Client Keystore for SSL Authentication

I need to create and install a self-signed certificate on the server (an XML hardware appliance) to do SSL authentication of a Java client/application which, through its interface configuration, can set keystores, i.e. .jks. I only need this setup for testing purposes and not production, for obvious reasons. Here's how...

SSL Handshake in Java Servlet (HttpsURLConnection)

I have a java web application that requires a servlet to open a connection with a url that returns some data in the form of JSON back to the servlet for processing. Traditionally this was done using an HttpURLConnection and everything worked as planned. Now, we have added as self-signed...

How to disable common name check in SSLContext in java?

I am using SSLContext so set up Jersey client, and need to disable the common name check in order to avoid unnecessary issues. However, I can find no documentation as to how we can do it correctly. So is the common name check disabled by default in SSLContext (assuming using...

Use PHP to generate a public/private key pair and export public key as a .der encoded string

Currently I have some working php code to generate a private/public keypair and store them in two variables. These variables are strings, with one variable containing the private key, and the other containing the public key. I researched on stack overflow and I also found some code to convert a...

RSA decrypt message [closed]

My programs fails when I try to decrypt encrypted messages. My code: char *pri_key[] = "some key"; // ---> some key, that i've got from server RSA *rsa; BIO *keybio; keybio = BIO_new_mem_buf(pri_key, strlen(pri_key)); rsa = PEM_read_bio_RSAPrivateKey(keybio, &rsa, NULL, NULL); // Decrypt it // Encoded message is in buff char...

Wildcard SSL on several servers - seems OK when tested but red in Chrome

I'm trying to install a Wildcard SSL by Comodo on my servers - AWS amazon Linux with Apache2.4. '' is working 'almost' correctly - it has an exclamation mark - seems that this is because it is calling media from the '' - in which the HTTPS in chrome are...

Wildcard SSL - Which to chose and what is the key differences?

I have been left in confusion for quite some time in deciding which CA should i approach to obtain a SSL certificate. Much comparison has been made from different CA but I do not see what is the key differences that sets each other apart except the price they offer....

How do you unblock the 993 port if your firewall settings is blocking it?

I am trying to retrieve my emails from Gmail using php. for writing the host name, this is my code: $hostname = '{}INBOX'; I am getting this error: Warning: imap_open(): Couldn't open stream {}INBOX in /home1/mtc/public_html/mtcerp/emailparser/email.php on line 10 Cannot connect to Gmail: Can not authenticate to IMAP server: [CLOSED]...

Redirecting http to https

I'd like to redirect all of my http traffic to https, currently in my htaccess file I have the following redirecting my http traffic: <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_HOST} !^www\. RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L] </IfModule> This redirects all of my non-www to www. What is the best way to...

Should I upgrade the version installed with OS X Yosemite?

I am new to using Openssl and am wondering whether it is always best to upgrade it to the latest version available or whether this might cause problems. In most cases I would not hesitate to install the newest version of any given software product but in this case I...

Java client certificates and keystores

we are trying to build a MUTUAL/2WAY authentication mechanism. Because we hit two different hosts, we have the same client certificate stored in the client keystore container under two different aliases (please note the same fingerprint): [email protected]:/opt/golem# keytool -list -keystore ./client.keystore -storepass ________ Keystore type: JKS Keystore provider: SUN Your...

NPM Error: self signed certificate in certificate chain

I am following the Angular 2 quick start guide and I'm stuck right at the beginning of it. My company is filtering our network connections and modifying SSL negociation. In a man in the middle style they assign a self signed certificate as the CA of the destination's certificate. Therefore...

SecKeyRawVerify verifies on mac but fails with -9809 on iOS

I need to digitally sign on mac some data and then verify it on iOS. So I generated RSA keypair and certificate for public key in DER format with open ssl (tried generation with SecKeyGeneratePair but then it is harder to import Public key to iOS and SecKeyRawVerify still doesn't...

Websocket SSL connection

I am trying to test a secure websocket but I'm having trouble. Here is my test: var WebSocket = require('ws'); describe('testing Web Socket', function() { it('should do stuff', function(done) { var ws = new WebSocket('wss://localhost:15449/', { protocolVersion: 8, origin: 'https://localhost:15449' }); ws.on('open', function() { console.log('open!!!'); done(); }); console.log(ws); }); });...

Create OpenSSL certificates signed by myself

I'm using boost ssl for server and client, and I have a model for server/client program in my mind, and I'm not sure it's gonna work. The model I have in my mind is to be the only authority for certificates of my program. My main question is: How can...

Server Authentication in Swift 2.0 & XCode 7 broken

I just updated my code to Swift 2.0 to work with Xcode 7. My App performs NSURLAuthenticationMethodServerTrust and NSURLAuthenticationMethodClientCertificate authentication. The problem is NSURLAuthenticationMethodServerTrust authentication stopped working on my simulator - but still works on my test device with iOS 8.3. Besides my old project which is not Swift 2.0,...

Openshift trustwave intermediate ssl cert issue

So I have got an application on openshift and I am trying to enable SSL on there. I already have an SSL cert from my previous host which is with Trustwave and seemed to work fine. So I have setup an alias for and have put a CNAME redirect...

Same system, same code, different behaviors: The request was aborted: Could not create SSL/TLS secure channel

There are many questions about "The request was aborted: Could not create SSL/TLS secure channel." error message and it seems very few of them were answered. I couldn't find any answer about my case, also my problem is little bit different. I have a Windows Service. It sends data to...

Segmentation fault with generating an RSA and saving in ASN.1/DER?

#include <string.h> #include <openssl/aes.h> #include <openssl/rand.h> #include <openssl/bio.h> #include <openssl/rsa.h> #include <openssl/evp.h> #include <openssl/pem.h> #define RSA_LEN 2048 #define RSA_FACTOR 65537 int genRSA2048(unsigned char **pub,unsigned int *pub_l,unsigned char **priv,unsigned int *priv_l){ RSA *pRSA = NULL; pRSA = RSA_generate_key(RSA_LEN,RSA_FACTOR,NULL,NULL); if (pRSA){ pub_l = malloc(sizeof(pub_l)); *pub_l = i2d_RSAPublicKey(pRSA,pub); priv_l = malloc(sizeof(priv_l));...

Subject Alternative Name not present in certificate

I have generated a CSR that includes the field subject alt names: openssl req -out mycsr.pem -new -key mykey.pem -days 365 When I inspect this it looks as expected with a new field present: X509v3 Subject Alternative Name: DNS: my.alt.dns However when I use this to sign a certificate that...

ArgumentError - unknown SSL method `TLSv1_2'

I am trying to move my AWS integration over TLS instead of SSLv3, but I'm receiving an error when trying to set the config.fog_credentials as another SO post has suggested, but I am receiving the ArgumentError above (unknown SSL method 'TLSv1_2'. I am open to a different solution to move...

Rails, DNSimple, Heroku and SSL - do I need a certificate?

So I'm currently deploying my app via Heroku. I noticed that in has HTTPS, so if I do config.force_ssl = true in my environments/production.rb it seems like I have wildcare SSL, right? Now I'm using DNSimple to get my actual name - call it Which currently resolves to...

How to set up a meteor server on https connection?

I have a local meteor server running on port 3000.Then I want add the SSL Certificate to my project.I have generate the SSL files, what should I do the next?

SSL/TLS: Why will the server be the only one to be able to decrypt the encrypted number if it's a public key?

Wouldn't anyone else be able to decrypt it too using the public key? Or is it saying that it will be decrypted with a private key. If that's the case how could something be encrypted with one key and decrypted with another? This is in reference to this wikipedia article....

How to increment the value of an unsigned char * (C)

I have a value stored as an unsigned char * (in C). This holds the SHA1 hash of a string. My goal is to cover the SHA1 key space. Since I'm using <openssl/evp.h> to generate the hashes, I end up with an unsigned char* holding the SHA1 value. Now I...

How to check OpenSSL library version of android application

This is related to Google Play and OpenSSL warning message. Play store recommend to use the following command to grep: $ unzip -p YourApp.apk | strings | grep "OpenSSL" But on Windows, this command is not running. However I have installed WinZip, WinRAR, Cygwin and MinGW. So please help me...

Client certificate authentication

I am new to SSL and Certificates . I have been doing my research about client certificate authentication. I have read this and wiki. So If I have to implement a client certificate auth solution for my B2B REST service should I do following Ask clients to generate their own...

Roundcube - Nginx does not redirect to .php file automatically

EDITED! I set up a mail server on Debian 7 with Nginx, Postfix, Postfixadmin, Dovecot and Roundcube. I tried to create an alias to use the SSL certificate of my domain (of course, the domain here is an example) for the webmail. When accessing the following URL -...

Getting SSLHandshakeException in java

I ma getting SSL Hand Shake error in eclipse while calling https restful web service from simple java stub but, can access this URL from browser after importing Client Digital Certificate to browser which was shared by service provider. Hiding End point URL for security purpose. Please help me, i...

How to make a website work only with https [duplicate],ssl,https
This question already has an answer here: How to force HTTPS using a web.config file 3 answers How do I make a website to work only with https? Is there any method to make my website work only if the protocol is https? For example let me say,...

serving GAE applications over http

I have implemented an application on GAE which can be accessible through https://<my_app_id> Now I have a custom domain registered with As described in GAE documentation I have mapped my custom domain to https://<my_app_id> and I see my application getting served from my custom domain. But I see requests...

Particular URL redirect to http if request come from particular host

Web server is apache, ssl configured, listening on 443, All http requests will be redirected to https using rewrite rule Issues is all url's are serving through https, but we want to connect to the web server through http if the request is coming for particular url from particular host,...

Statically link OpenSSL in XCode

I am trying to link libssl.a and libcrypto.a static libraries in XCode command line project [under Link Binary With Libraries]. I have included Openssl header files in search path. Compilation succeeds but execution fails with dyld: Library not loaded: /usr/local/ssl/lib/libcrypto.1.0.0.dylib. Why does it look for dylib when I am linking...

How can i get Certificate issuer information in python?

I want the 'issued to' information from certificate in python. I try to use the SSL and SSLSocket library but did not happen. ...

Undefined symbols for architecture x86_64 (clang)

I'm trying to use OpenSSL to compute sha1 hash from a c program. I am compiling with clang on Mac OS X Yosemite with an Intel i7 (so 64 bit). The relevant piece of code is roughly like so: #include <openssl/evp.h> ... unsigned char outHash[20]; hash("SHA1","abcd", 20, outHash); The thing...

How to create a private certificate for connecting to a website

My apologies if this is a duplicate, I may just not be using the correct terminology in my queries to find what I am looking for. I have a vendor that sent me a certificate to install in my browser so that we can access their website. We cannot get...

SSLV3_ALERT_HANDSHAKE_FAILURE with SNI using Tornado 4.2 in Python 2.9.10

I have an issue setting the SNI flag correctly using ssl.SSLContext in Python 2.7.10, the handshake fails every time and I can't figure out why. Here is how I tried to do it: import ssl import socket if ssl.HAS_SNI: print "SNI is available" print(ssl.OPENSSL_VERSION) context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) context.load_cert_chain('cacrt.pem', 'cakey.pem', 'password')...

Meteor mupx ssl configuration is not working, still routing to port 80

Heres my mup.json: // Configure environment "env": { "PORT": 3000, "ROOT_URL": "" }, //SSL "ssl": { "certificate": "ssl/ssl.crt", // this is a bundle of certificates "key": "ssl/private.key", // this is the private key of the certificate "port": 443 // 443 is the default value and it's the standard HTTPS port...

wget ssl alert handshake failure

I am trying to download files from an https site and keep getting the following error: OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Unable to establish SSL connection. From reading blogs online I gather I have to provide the server cert and the client cert. I have found steps on how...

Now that SSLSocketFactory is deprecated on Android, what would be the best way to handle Client Certificate Authentication?

I am working on an Android app that requires Client Certificate Authentication (with PKCS 12 files). Following the deprecation of all that's apache.http.*, we have started a pretty big work of refactoring on our network layer, and we have decided to go with OkHttp as a replacement, and so far...

ssl certificate with and without www

I have a website that installed a ssl certificate for the name of It works fine for But it doesn't work for The browser gave me Error code: ssl_error_bad_cert_domain. I am using Apache 2. I tried to rewrite the url to add www in httpd-ssl.conf, see the...

How to load SSL Certficate in Java

I am creating a Java program to get information from a server but I have to perform a ssl handshake with the server from the Java program. I have myfilercert.cer file certificate for authentication purpose but I have no idea how I can load that certificate in java so that...

Starting a tls communication with python asyncio

I have some python code snippet that uses asyncio and initiates a "plain" connection: loop = asyncio.get_event_loop() coro = loop.create_connection(lambda: MyCustomClassProtocol(loop), sock=client_socket) loop.run_until_complete(coro) The point is my plain connection switches to a tls one once some exchanges have happened. In the traditional way one would do this: ssl_sock = ssl.wrap_socket(client_socket,...

Configure Apache web server to perform SSL authentication

I'm trying to perform SSL authentication in apache web server, using XAMPP in Linux. After I configure httpd.conf like this, Apache server is failing to start. Can some one help me to fix this ? What is wrong with my configuration ? Alias /bitnami/ "/opt/lampp/apache2/htdocs/" Alias /bitnami "/opt/lampp/apache2/htdocs" <Directory "/opt/lampp/apache2/htdocs">...

How does DNS server know the IP address of an SSL's URL?

The SSL/TLS (https) protocol encrypts both of the web page url and its content. So I'm wondering how could the DNS server know the ip address of the requested url if it is encrypted? Any documented reference or idea?

Wildfly mysql with SSL

I have a web app using a mysql database as its data store. It is currently running in Glassfish and talking to that mysql database with SSL. I am thinking about migrating to Wildfly but I can't seem to create a Wildfly datasource that will talk to the mysql database...

Issue with understanding keystore and ssl

These are the facts: I have a client(android)-server(java - Ubuntu 14.04)-program with which I transmit my gps-data from my smartphone every 5 minutes to the server saving it into a mysql-database. My problem is that I do not want to transmit my GPS data plain. So I want to use...