Tuesday, 14 March 2017

Generating a SAN (Subject Alternative Name) certificate with OpenSSL

Firstly create a new file (e.g. /tmp/csr_yourdomain.conf) as follows (replacing the relevant information.)

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=GB
ST=London
L=England
O=Your Company
OU=IT
emailAddress=webmaster@yourdomain.com
CN = *.yourdomain.com

[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.anotherdomain.com
DNS.2 = *.alternativedomain.com

The above information is typically taken when generating a single FQDN - however the inclusion of the 'alt_names' section is where SAN (subject alternative domains) are listed.

We can easily add additional domains by simply incrementing the 'DNS.' prefix e.g. DNS.3, DNS.4 etc.

Finally generate the new certificate - ensuring the configuration is pointed at the conf file you have just created:

openssl req -new -sha256 -nodes -out \*.yourdomain.com.csr -newkey rsa:2048 -keyout \*.yourdomain.key -config /tmp/csr_yourdomain.conf

0 comments:

Post a comment