Last active
April 29, 2020 02:39
-
-
Save k9ert/9f549ea46b3b70b6cbcd4c1abac27d8c to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # openssl x509 -in alice-tls.cert -text -noout | |
| Certificate: | |
| Data: | |
| Version: 3 (0x2) | |
| Serial Number: | |
| d6:a0:86:69:7e:b8:e1:ac | |
| Signature Algorithm: ecdsa-with-SHA256 | |
| Issuer: CN=localhost, O=lnd | |
| Validity | |
| Not Before: Jun 24 11:03:12 2018 GMT | |
| Not After : May 31 11:03:12 2118 GMT | |
| Subject: CN=localhost, O=lnd | |
| Subject Public Key Info: | |
| Public Key Algorithm: id-ecPublicKey | |
| Public-Key: (256 bit) | |
| pub: | |
| 04:7a:d8:7d:de:12:81:d9:9e:66:ea:c8:53:e6:2e: | |
| 7c:91:1c:0d:fa:19:0d:a2:2a:73:06:77:89:67:84: | |
| 73:78:e6:03:7d:84:a3:01:f7:5f:62:be:1e:47:90: | |
| d1:0e:aa:e2:56:cc:f5:d9:7a:78:50:20:16:69:ba: | |
| 84:ee:b6:8a:e6 | |
| ASN1 OID: prime256v1 | |
| X509v3 extensions: | |
| X509v3 Subject Alternative Name: | |
| DNS:alice | |
| Signature Algorithm: ecdsa-with-SHA256 | |
| 30:45:02:21:00:97:03:9c:bf:c1:70:c2:8f:e1:97:a8:0c:83: | |
| c6:ed:28:37:57:f7:c3:6c:ed:47:71:7a:ba:eb:34:7e:c4:f5: | |
| 5f:02:20:73:36:8a:5b:12:78:72:1c:ed:6c:54:21:8d:8c:68: | |
| 71:34:67:9a:55:2e:c0:40:03:9c:c2:75:b7:f2:b6:b2:f8 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| openssl ecparam -genkey -name prime256v1 -out ${LND_OWNER}-tls.key | |
| openssl req -new -sha256 \ | |
| -key ${LND_OWNER}-tls.key \ | |
| -subj "/CN=localhost/O=lnd" \ | |
| -reqexts SAN \ | |
| -config <(cat /etc/ssl/openssl.cnf \ | |
| <(printf "\n[SAN]\nsubjectAltName=DNS:${LND_OWNER}")) \ | |
| -out csr.csr | |
| openssl csr -in csr.csr -text -noout # contains the subjectAltName | |
| openssl req -x509 -sha256 -days 36500 \ | |
| -key ${LND_OWNER}-tls.key \ | |
| -in csr.csr -out ${LND_OWNER}-tls.cert \ | |
| -extensions SAN \ | |
| -config <(cat /etc/ssl/openssl.cnf \ | |
| <(printf "\n[SAN]\nsubjectAltName=DNS:${LND_OWNER}")) | |
| openssl x509 -in ${LND_OWNER}-tls.cert -text -noout |
So, finally the solution was to create the certificate like this:
openssl ecparam -genkey -name prime256v1 -out ${LND_OWNER}-tls.key
openssl req -new -sha256 \
-key ${LND_OWNER}-tls.key \
-subj "/CN=localhost/O=lnd" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:localhost,DNS:${LND_OWNER}")) \
-out csr.csr
openssl req -in csr.csr -text -noout # contains the subjectAltName
openssl req -x509 -sha256 -days 36500 \
-key ${LND_OWNER}-tls.key \
-in csr.csr -out ${LND_OWNER}-tls.cert \
-extensions SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:localhost,DNS:${LND_OWNER}"))
openssl x509 -in ${LND_OWNER}-tls.cert -text -noout
which creates this request/certificate:
openssl ecparam -genkey -name prime256v1 -out ${LND_OWNER}-tls.key
openssl req -new -sha256 \
-key ${LND_OWNER}-tls.key \
-subj "/CN=localhost/O=lnd" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:localhost,DNS:${LND_OWNER}")) \
-out csr.csr
openssl csr -in csr.csr -text -noout # contains the subjectAltName
openssl req -x509 -sha256 -days 36500 \
-key ${LND_OWNER}-tls.key \
-in csr.csr -out ${LND_OWNER}-tls.cert \
-extensions SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:localhost,DNS:${LND_OWNER}"))
openssl x509 -in ${LND_OWNER}-tls.cert -text -noout
Thanks for this, super helpful.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
as in lightningnetwork/lnd#835
described, if one adds a
--tlsextraip=then the resulting cert looks like this: