Subject Alternative Name (SAN) cert allows verifying different domains using a single cert. This is an extension to SSL certs.
Create config
Create a config file mydomain.conf
[ req ]
default_bits = 2048
default_keyfile = mydomain.key
distinguished_name = req_distinguished_name
prompt = no
attributes = req_attributes
req_extensions = mydomain_ext
[ req_distinguished_name ]
C = XX
ST = Some State
L = Some Locality
O = Some Organization
OU = Some Organizational Unit
CN = mydomain.com
emailAddress = admin@mydomain.com
[ req_attributes ]
challengePassword = A challenge password
[ mydomain_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = mydomain.com
DNS.2 = www.mydomain.com
DNS.3 = myotherdomain.com
DNS.4 = *.myotherdomain.com
Create CSR
Create csr and key using this config
openssl req -new -nodes -out mydomain.csr -config mydomain.conf
You can verify your csr info
openssl req -in mydomain.csr -noout -text
There should be an X509v3 Subject Alternative Name
line.
Sign the CSR
Just like in Tutorial #1, you then sign the csr with your CA cert. But this time you should add a line in sign.sh .
Add this line in [ CA_own ]
block:
copy_extensions = copy
Then sign it. Configure your webserver to use this cert.
That’s all.
Tips
- When SAN is specified, common name becomes useless. So make sure to copy common name to alt name field.
- If you are creating a self-signed cert rather than a cert request, you should change req_extensions to x509_extensions.