(Created page with "== Overview == == Create a Key == Create a server key in pem format: openssl genrsa -out server.key 2048 == Create a Config File == Normally when you generate a CSR you a...") |
|||
(4 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Overview == | == Overview == | ||
+ | If you happen to host multiple websites on a single server, you may need to a multi domain SSL certificate. This article will explain how to create a certificate with Subject Alternative Names. This allows you to assign a single cert to all of your sites. Yes you can create an individual cert for each site, but sometimes its nice to manage a single cert. | ||
Line 21: | Line 22: | ||
localityName = Locality Name (eg, city) | localityName = Locality Name (eg, city) | ||
localityName_default = Sacramento | localityName_default = Sacramento | ||
+ | organizationName = Organization Name (company) | ||
+ | organizationName_default = My Company | ||
organizationalUnitName = Organizational Unit Name (eg, section) | organizationalUnitName = Organizational Unit Name (eg, section) | ||
+ | organizationalUnitName_default = IT | ||
commonName = Common Name (eg, YOUR name) | commonName = Common Name (eg, YOUR name) | ||
commonName_max = 64 | commonName_max = 64 | ||
emailAddress = Email Address | emailAddress = Email Address | ||
+ | emailAddress_default = [email protected] | ||
emailAddress_max = 40 | emailAddress_max = 40 | ||
Line 36: | Line 41: | ||
DNS.2 = webmail.yourdomain.com | DNS.2 = webmail.yourdomain.com | ||
DNS.3 = www.otherdomain.com | DNS.3 = www.otherdomain.com | ||
+ | #DNS.4 = webmail #Non-FQDN's are discouraged | ||
+ | IP.1 = 1.2.3.4 | ||
You can modify the above settings to suit your needs. Most importantly is the ''[alt_names]'' section. This is where we add the other domains (SAN). You will be able to override the other info when creating the CSR in the next section. | You can modify the above settings to suit your needs. Most importantly is the ''[alt_names]'' section. This is where we add the other domains (SAN). You will be able to override the other info when creating the CSR in the next section. | ||
− | + | ||
− | + | ||
== Create a CSR == | == Create a CSR == | ||
Create a server "Certificate Signing Request" (CSR): | Create a server "Certificate Signing Request" (CSR): | ||
openssl req -new -key server.key -out server.csr -config server.conf | openssl req -new -key server.key -out server.csr -config server.conf | ||
+ | '''Note: When prompted for ''commonName:'' to enter your primary domain name.''' | ||
+ | Example: | ||
+ | Common Name (eg, YOUR name) []:yourdomain.com | ||
− | + | == Checking the CSR == | |
− | + | openssl req -text -noout -in server.csr | |
− | + | You should see your SAN's in the output under the ''X509v3 Subhect Alternative Name'' section. | |
− | + | ||
== Reference == | == Reference == | ||
http://blog.danmassey.net/?p=407 | http://blog.danmassey.net/?p=407 | ||
+ | |||
+ | http://apetec.com/support/GenerateSAN-CSR.htm | ||
[[Category:OpenSSL]] | [[Category:OpenSSL]] |
Latest revision as of 20:36, 13 October 2017
Contents
Overview
If you happen to host multiple websites on a single server, you may need to a multi domain SSL certificate. This article will explain how to create a certificate with Subject Alternative Names. This allows you to assign a single cert to all of your sites. Yes you can create an individual cert for each site, but sometimes its nice to manage a single cert.
Create a Key
Create a server key in pem format:
openssl genrsa -out server.key 2048
Create a Config File
Normally when you generate a CSR you are prompted with several questions like Country, State, yadda yadda. You can create a config file which pre-populates these fields. In this case we will use this config file to add in the Subject Alternative Names (SAN).
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = California localityName = Locality Name (eg, city) localityName_default = Sacramento organizationName = Organization Name (company) organizationName_default = My Company organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = IT commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_default = [email protected] emailAddress_max = 40 [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = www.yourdomain.com DNS.2 = webmail.yourdomain.com DNS.3 = www.otherdomain.com #DNS.4 = webmail #Non-FQDN's are discouraged IP.1 = 1.2.3.4
You can modify the above settings to suit your needs. Most importantly is the [alt_names] section. This is where we add the other domains (SAN). You will be able to override the other info when creating the CSR in the next section.
Create a CSR
Create a server "Certificate Signing Request" (CSR):
openssl req -new -key server.key -out server.csr -config server.conf
Note: When prompted for commonName: to enter your primary domain name. Example:
Common Name (eg, YOUR name) []:yourdomain.com
Checking the CSR
openssl req -text -noout -in server.csr
You should see your SAN's in the output under the X509v3 Subhect Alternative Name section.