From LedHed's Wiki
Jump to: navigation, search
(Created page with "== Overview == == Create a Key == Create a server key in pem format: openssl genrsa -out server.key 2048 == Create a Config File == Normally when you generate a CSR you a...")
 
Line 1: Line 1:
 
== Overview ==
 
== Overview ==
 +
If you happen to host multiple websites on a single server, you may need to a multi domain SSL certificate. This article will explain how to create a certificate with Subject Alternative Names. This allows you to assign a single cert to all of your sites. Yes you can create an individual cert for each site, but sometimes its nice to manage a single cert.
  
  
Line 38: Line 39:
  
 
You can modify the above settings to suit your needs. Most importantly is the ''[alt_names]'' section. This is where we add the other domains (SAN). You will be able to override the other info when creating the CSR in the next section.
 
You can modify the above settings to suit your needs. Most importantly is the ''[alt_names]'' section. This is where we add the other domains (SAN). You will be able to override the other info when creating the CSR in the next section.
<br>
+
 
'''Note: that when prompted for ''commonName:'' to enter your primary domain name.'''
+
  
 
== Create a CSR ==
 
== Create a CSR ==
 
Create a server "Certificate Signing Request" (CSR):
 
Create a server "Certificate Signing Request" (CSR):
 
  openssl req -new -key server.key -out server.csr -config server.conf
 
  openssl req -new -key server.key -out server.csr -config server.conf
 
+
'''Note: When prompted for ''commonName:'' to enter your primary domain name.'''
 
+
Example:
 
+
Common Name (eg, YOUR name) []:yourdomain.com
 
+
  
  

Revision as of 02:47, 31 March 2016

Overview

If you happen to host multiple websites on a single server, you may need to a multi domain SSL certificate. This article will explain how to create a certificate with Subject Alternative Names. This allows you to assign a single cert to all of your sites. Yes you can create an individual cert for each site, but sometimes its nice to manage a single cert.


Create a Key

Create a server key in pem format:

openssl genrsa -out server.key 2048


Create a Config File

Normally when you generate a CSR you are prompted with several questions like Country, State, yadda yadda. You can create a config file which pre-populates these fields. In this case we will use this config file to add in the Subject Alternative Names (SAN).

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = California
localityName = Locality Name (eg, city)
localityName_default = Sacramento
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.yourdomain.com
DNS.2 = webmail.yourdomain.com
DNS.3 = www.otherdomain.com

You can modify the above settings to suit your needs. Most importantly is the [alt_names] section. This is where we add the other domains (SAN). You will be able to override the other info when creating the CSR in the next section.


Create a CSR

Create a server "Certificate Signing Request" (CSR):

openssl req -new -key server.key -out server.csr -config server.conf

Note: When prompted for commonName: to enter your primary domain name. Example:

Common Name (eg, YOUR name) []:yourdomain.com



Reference

http://blog.danmassey.net/?p=407