SSL Tutorial #4: Creating SAN Certificate and Self-signing It with Own CA

Subject Alternative Name (SAN) cert allows verifying different domains using a single cert. This is an extension to SSL certs.

1. Create config

Create a config file mydomain.conf

[ req ]
default_bits        = 2048
default_keyfile     = mydomain.key
distinguished_name  = req_distinguished_name
prompt              = no
attributes          = req_attributes
req_extensions      = mydomain_ext

[ req_distinguished_name ]
C            = XX
ST           = Some State
L            = Some Locality
O            = Some Organization
OU           = Some Organizational Unit
CN           = mydomain.com
emailAddress = admin@mydomain.com

[ req_attributes ]
challengePassword    = A challenge password

[ mydomain_ext ]
subjectAltName       = @alt_names

[alt_names]
DNS.1   = mydomain.com
DNS.2   = www.mydomain.com
DNS.3   = myotherdomain.com
DNS.4   = *.myotherdomain.com

2. Create CSR

Create csr and key using this config
openssl req -new -nodes -out mydomain.csr -config mydomain.conf

You can verify your csr info
openssl req -in mydomain.csr -noout -text
There should be a “X509v3 Subject Alternative Name” line.

3. Sign the CSR

Just like in Tutorial #1, you then sign the csr with your CA cert. But this time you should add a line in sign.sh.

Add this line in [ CA_own ] block:
copy_extensions = copy

Then sign it. Configure your webserver to use this cert.

That’s all.

4. Tips

(1) When SAN is specified, common name becomes useless. So make sure to copy common name to alt name field.

(2) If you are creating a self-signed cert rather than a cert request, you should change req_extensions to x509_extensions.

References

[1] OpenSSL: Documents, req(1)
[2] OpenSSL: Documents, ca(1)
[3] Creating a SubjectAltName (SAN/UCC) CSR
[4] Openssl.conf Walkthru

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.