Subject Alternative Name (SAN) cert allows verifying different domains using a single cert. This is an extension to SSL certs.
Create a config file
[ req ] default_bits = 2048 default_keyfile = mydomain.key distinguished_name = req_distinguished_name prompt = no attributes = req_attributes req_extensions = mydomain_ext [ req_distinguished_name ] C = XX ST = Some State L = Some Locality O = Some Organization OU = Some Organizational Unit CN = mydomain.com emailAddress = email@example.com [ req_attributes ] challengePassword = A challenge password [ mydomain_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = mydomain.com DNS.2 = www.mydomain.com DNS.3 = myotherdomain.com DNS.4 = *.myotherdomain.com
Create csr and key using this config
openssl req -new -nodes -out mydomain.csr -config mydomain.conf
You can verify your csr info
openssl req -in mydomain.csr -noout -text
There should be an
X509v3 Subject Alternative Name line.
Sign the CSR
Just like in Tutorial #1, you then sign the csr with your CA cert. But this time you should add a line in sign.sh .
Add this line in
[ CA_own ] block:
copy_extensions = copy
Then sign it. Configure your webserver to use this cert.
- When SAN is specified, common name becomes useless. So make sure to copy common name to alt name field.
- If you are creating a self-signed cert rather than a cert request, you should change req_extensions to x509_extensions.