Contents
Overview
If you happen to host multiple websites on a single server, you may need to a multi domain SSL certificate. This article will explain how to create a certificate with Subject Alternative Names. This allows you to assign a single cert to all of your sites. Yes you can create an individual cert for each site, but sometimes its nice to manage a single cert.
Create a Key
Create a server key in pem format:
openssl genrsa -out server.key 2048
Create a Config File
Normally when you generate a CSR you are prompted with several questions like Country, State, yadda yadda. You can create a config file which pre-populates these fields. In this case we will use this config file to add in the Subject Alternative Names (SAN).
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = California localityName = Locality Name (eg, city) localityName_default = Sacramento organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = www.yourdomain.com DNS.2 = webmail.yourdomain.com DNS.3 = www.otherdomain.com
You can modify the above settings to suit your needs. Most importantly is the [alt_names] section. This is where we add the other domains (SAN). You will be able to override the other info when creating the CSR in the next section.
Create a CSR
Create a server "Certificate Signing Request" (CSR):
openssl req -new -key server.key -out server.csr -config server.conf
Note: When prompted for commonName: to enter your primary domain name. Example:
Common Name (eg, YOUR name) []:yourdomain.com
Checking the CSR
openssl req -text -noout -in server.csr
You should see your SAN's in the output under the X509v3 Subhect Alternative Name section.