| (One intermediate revision by the same user not shown) | |||
| Line 22: | Line 22: | ||
localityName = Locality Name (eg, city) | localityName = Locality Name (eg, city) | ||
localityName_default = Sacramento | localityName_default = Sacramento | ||
| + | organizationName = Organization Name (company) | ||
| + | organizationName_default = My Company | ||
organizationalUnitName = Organizational Unit Name (eg, section) | organizationalUnitName = Organizational Unit Name (eg, section) | ||
| + | organizationalUnitName_default = IT | ||
commonName = Common Name (eg, YOUR name) | commonName = Common Name (eg, YOUR name) | ||
commonName_max = 64 | commonName_max = 64 | ||
emailAddress = Email Address | emailAddress = Email Address | ||
| + | emailAddress_default = [email protected] | ||
emailAddress_max = 40 | emailAddress_max = 40 | ||
| Line 37: | Line 41: | ||
DNS.2 = webmail.yourdomain.com | DNS.2 = webmail.yourdomain.com | ||
DNS.3 = www.otherdomain.com | DNS.3 = www.otherdomain.com | ||
| + | #DNS.4 = webmail #Non-FQDN's are discouraged | ||
| + | IP.1 = 1.2.3.4 | ||
You can modify the above settings to suit your needs. Most importantly is the ''[alt_names]'' section. This is where we add the other domains (SAN). You will be able to override the other info when creating the CSR in the next section. | You can modify the above settings to suit your needs. Most importantly is the ''[alt_names]'' section. This is where we add the other domains (SAN). You will be able to override the other info when creating the CSR in the next section. | ||
| Line 56: | Line 62: | ||
== Reference == | == Reference == | ||
http://blog.danmassey.net/?p=407 | http://blog.danmassey.net/?p=407 | ||
| + | |||
| + | http://apetec.com/support/GenerateSAN-CSR.htm | ||
[[Category:OpenSSL]] | [[Category:OpenSSL]] | ||
Latest revision as of 20:36, 13 October 2017
Contents
Overview
If you happen to host multiple websites on a single server, you may need to a multi domain SSL certificate. This article will explain how to create a certificate with Subject Alternative Names. This allows you to assign a single cert to all of your sites. Yes you can create an individual cert for each site, but sometimes its nice to manage a single cert.
Create a Key
Create a server key in pem format:
openssl genrsa -out server.key 2048
Create a Config File
Normally when you generate a CSR you are prompted with several questions like Country, State, yadda yadda. You can create a config file which pre-populates these fields. In this case we will use this config file to add in the Subject Alternative Names (SAN).
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = California localityName = Locality Name (eg, city) localityName_default = Sacramento organizationName = Organization Name (company) organizationName_default = My Company organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = IT commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_default = [email protected] emailAddress_max = 40 [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = www.yourdomain.com DNS.2 = webmail.yourdomain.com DNS.3 = www.otherdomain.com #DNS.4 = webmail #Non-FQDN's are discouraged IP.1 = 1.2.3.4
You can modify the above settings to suit your needs. Most importantly is the [alt_names] section. This is where we add the other domains (SAN). You will be able to override the other info when creating the CSR in the next section.
Create a CSR
Create a server "Certificate Signing Request" (CSR):
openssl req -new -key server.key -out server.csr -config server.conf
Note: When prompted for commonName: to enter your primary domain name. Example:
Common Name (eg, YOUR name) []:yourdomain.com
Checking the CSR
openssl req -text -noout -in server.csr
You should see your SAN's in the output under the X509v3 Subhect Alternative Name section.