From LedHed's Wiki
Revision as of 03:03, 31 March 2016 by Ledhed (Talk | contribs)

Jump to: navigation, search

Overview

If you happen to host multiple websites on a single server, you may need to a multi domain SSL certificate. This article will explain how to create a certificate with Subject Alternative Names. This allows you to assign a single cert to all of your sites. Yes you can create an individual cert for each site, but sometimes its nice to manage a single cert.


Create a Key

Create a server key in pem format:

openssl genrsa -out server.key 2048


Create a Config File

Normally when you generate a CSR you are prompted with several questions like Country, State, yadda yadda. You can create a config file which pre-populates these fields. In this case we will use this config file to add in the Subject Alternative Names (SAN).

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = California
localityName = Locality Name (eg, city)
localityName_default = Sacramento
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.yourdomain.com
DNS.2 = webmail.yourdomain.com
DNS.3 = www.otherdomain.com

You can modify the above settings to suit your needs. Most importantly is the [alt_names] section. This is where we add the other domains (SAN). You will be able to override the other info when creating the CSR in the next section.


Create a CSR

Create a server "Certificate Signing Request" (CSR):

openssl req -new -key server.key -out server.csr -config server.conf

Note: When prompted for commonName: to enter your primary domain name. Example:

Common Name (eg, YOUR name) []:yourdomain.com


Checking the CSR

openssl req -text -noout -in server.csr

You should see your SAN's in the output under the X509v3 Subhect Alternative Name section.


Reference

http://blog.danmassey.net/?p=407

http://apetec.com/support/GenerateSAN-CSR.htm