From LedHed's Wiki
Jump to: navigation, search
 
Line 22: Line 22:
 
  localityName = Locality Name (eg, city)
 
  localityName = Locality Name (eg, city)
 
  localityName_default = Sacramento
 
  localityName_default = Sacramento
 +
organizationName = Organization Name (company)
 +
organizationName_default = My Company
 
  organizationalUnitName = Organizational Unit Name (eg, section)
 
  organizationalUnitName = Organizational Unit Name (eg, section)
 +
organizationalUnitName_default = IT
 
  commonName = Common Name (eg, YOUR name)
 
  commonName = Common Name (eg, YOUR name)
 
  commonName_max = 64
 
  commonName_max = 64
 
  emailAddress = Email Address
 
  emailAddress = Email Address
 +
emailAddress_default = [email protected]
 
  emailAddress_max = 40
 
  emailAddress_max = 40
 
   
 
   
Line 37: Line 41:
 
  DNS.2 = webmail.yourdomain.com
 
  DNS.2 = webmail.yourdomain.com
 
  DNS.3 = www.otherdomain.com
 
  DNS.3 = www.otherdomain.com
 +
#DNS.4 = webmail    #Non-FQDN's are discouraged
 +
IP.1 = 1.2.3.4
  
 
You can modify the above settings to suit your needs. Most importantly is the ''[alt_names]'' section. This is where we add the other domains (SAN). You will be able to override the other info when creating the CSR in the next section.
 
You can modify the above settings to suit your needs. Most importantly is the ''[alt_names]'' section. This is where we add the other domains (SAN). You will be able to override the other info when creating the CSR in the next section.

Latest revision as of 20:36, 13 October 2017

Overview

If you happen to host multiple websites on a single server, you may need to a multi domain SSL certificate. This article will explain how to create a certificate with Subject Alternative Names. This allows you to assign a single cert to all of your sites. Yes you can create an individual cert for each site, but sometimes its nice to manage a single cert.


Create a Key

Create a server key in pem format:

openssl genrsa -out server.key 2048


Create a Config File

Normally when you generate a CSR you are prompted with several questions like Country, State, yadda yadda. You can create a config file which pre-populates these fields. In this case we will use this config file to add in the Subject Alternative Names (SAN).

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = California
localityName = Locality Name (eg, city)
localityName_default = Sacramento
organizationName = Organization Name (company)
organizationName_default = My Company
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = IT
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = [email protected]
emailAddress_max = 40

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.yourdomain.com
DNS.2 = webmail.yourdomain.com
DNS.3 = www.otherdomain.com
#DNS.4 = webmail     #Non-FQDN's are discouraged
IP.1 = 1.2.3.4

You can modify the above settings to suit your needs. Most importantly is the [alt_names] section. This is where we add the other domains (SAN). You will be able to override the other info when creating the CSR in the next section.


Create a CSR

Create a server "Certificate Signing Request" (CSR):

openssl req -new -key server.key -out server.csr -config server.conf

Note: When prompted for commonName: to enter your primary domain name. Example:

Common Name (eg, YOUR name) []:yourdomain.com


Checking the CSR

openssl req -text -noout -in server.csr

You should see your SAN's in the output under the X509v3 Subhect Alternative Name section.


Reference

http://blog.danmassey.net/?p=407

http://apetec.com/support/GenerateSAN-CSR.htm