{"id":1252,"date":"2014-07-09T00:54:05","date_gmt":"2014-07-08T23:54:05","guid":{"rendered":"http:\/\/fbcs.co.uk\/?p=1252"},"modified":"2014-07-27T01:04:15","modified_gmt":"2014-07-27T00:04:15","slug":"self-signed-multiple-domain-ssl-certificates","status":"publish","type":"post","link":"https:\/\/wp.fbcs.co.uk\/self-signed-multiple-domain-ssl-certificates\/","title":{"rendered":"Self-signed multiple-domain SSL certificates"},"content":{"rendered":"

\n\tI’ve finally worked out how to create self-signed SSL certificates for multiple domain names with openssl. \n<\/p>\n

\n\tThese notes relate to Debian GNU\/Linux, but the principles will apply to other operating systems.\n<\/p>\n

\n\tThe first step to make the process easier and repeatable in the future is to copy the default configuration file from \/etc\/ssl\/openssl.cnf to a working directory where you can adapt it\n<\/p>\n

\n\tLet’s assume that you’ve copied \/etc\/ssl\/openssl.cnf to ~\/project-openssl.cnf.  Edit the new file and set the various default values to the ones that you need — that’s better than having to respond to openssl’s prompts every time you run it.\n<\/p>\n

\n\tFor real non-self-signed certificates, you would generate a certificate signing request (.csr) file, ready for a certificate authority to sign it for you.  In that case, you need to follow the instructions at http:\/\/wiki.cacert.org\/FAQ\/subjectAltName<\/a>.\n<\/p>\n

\n\tBut for a self-signed certificate, the subjectAltName has to go in a different place.  Make sure you’ve got this line present and un-commented in the [req] section of the config file:\n<\/p>\n

\r\n[req]\r\n...\r\nx509_extensions = v3_ca<\/pre>\n
\n\tand then this goes at the end of the [v3_ca] section:\n<\/p>\n
\r\n[v3_ca]\r\n...\r\nsubjectAltName = @alt_names\r\n[alt_names]\r\nDNS.1 = example.com\r\nDNS.2 = www.example.com\r\nDNS.3 = example.co.uk\r\nDNS.4 = www.example.co.uk<\/pre>\n
\n\tThere is (apparently) a limit to the number (or total length) of the alternate names, but I didn’t reach it with 11 domain names.\n<\/p>\n
\n\tIt’s also possible to add IP addresses to the alt_names section like this:\n<\/p>\n
\r\nIP.1 = 192.168.1.1\r\nIP.2 = 192.168.69.14<\/pre>\n
\n\tThen to create the key and self-signed certificate, run commands similar to these:\n<\/p>\n
\r\nopenssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout project.key -out project.crt -config ~\/project-openssl.cnf\r\ncp project.crt \/etc\/ssl\/localcerts\/\r\nmv project.key \/etc\/ssl\/private\/<\/pre>\n
\n\tNote that I move (rather than copy) the key to the private directory to avoid leaving a copy of it lying around unprotected.\n<\/p>\n
\n\tYou can check that the certificate contains all the domains that you added by running this:\n<\/p>\n
\r\nopenssl x509 -in project.crt -text -noout | less<\/pre>\n
\n\tAlternative approach
\n<\/h3>\n
\n\tI haven’t tried this, but according to http:\/\/apetec.com\/support\/GenerateSAN-CSR.htm<\/a> it’s also possible to create a CSR and then self-sign it like this:\n<\/p>\n
\r\nopenssl x509 -req -days 3650 -in project.csr -signkey project.key\r\n -out project.crt v3_req -extfile project-openssl.cnf<\/pre>\n
\n\tReferences:
\n<\/h3>\n