{"id":1252,"date":"2014-07-09T00:54:05","date_gmt":"2014-07-08T23:54:05","guid":{"rendered":"http:\/\/fbcs.co.uk\/?p=1252"},"modified":"2014-07-27T01:04:15","modified_gmt":"2014-07-27T00:04:15","slug":"self-signed-multiple-domain-ssl-certificates","status":"publish","type":"post","link":"https:\/\/wp.fbcs.co.uk\/self-signed-multiple-domain-ssl-certificates\/","title":{"rendered":"Self-signed multiple-domain SSL certificates"},"content":{"rendered":"
\n\tI’ve finally worked out how to create self-signed SSL certificates for multiple domain names with openssl. \n<\/p>\n
\n\tThese notes relate to Debian GNU\/Linux, but the principles will apply to other operating systems.\n<\/p>\n
\n\tThe first step to make the process easier and repeatable in the future is to copy the default configuration file from \/etc\/ssl\/openssl.cnf to a working directory where you can adapt it\n<\/p>\n
\n\tLet’s assume that you’ve copied \/etc\/ssl\/openssl.cnf to ~\/project-openssl.cnf. Edit the new file and set the various default values to the ones that you need — that’s better than having to respond to openssl’s prompts every time you run it.\n<\/p>\n
\n\tFor real non-self-signed certificates, you would generate a certificate signing request (.csr) file, ready for a certificate authority to sign it for you. In that case, you need to follow the instructions at http:\/\/wiki.cacert.org\/FAQ\/subjectAltName<\/a>.\n<\/p>\n \n\tBut for a self-signed certificate, the subjectAltName has to go in a different place. Make sure you’ve got this line present and un-commented in the [req] section of the config file:\n<\/p>\n \n\tand then this goes at the end of the [v3_ca] section:\n<\/p>\n \n\tThere is (apparently) a limit to the number (or total length) of the alternate names, but I didn’t reach it with 11 domain names.\n<\/p>\n \n\tIt’s also possible to add IP addresses to the alt_names section like this:\n<\/p>\n \n\tThen to create the key and self-signed certificate, run commands similar to these:\n<\/p>\n \n\tNote that I move (rather than copy) the key to the private directory to avoid leaving a copy of it lying around unprotected.\n<\/p>\n \n\tYou can check that the certificate contains all the domains that you added by running this:\n<\/p>\n \n\tI haven’t tried this, but according to http:\/\/apetec.com\/support\/GenerateSAN-CSR.htm<\/a> it’s also possible to create a CSR and then self-sign it like this:\n<\/p>\n I’ve finally worked out how to create self-signed SSL certificates for multiple domain names with openssl. These notes relate to Debian GNU\/Linux, but the principles will apply to other operating systems. The first step to make the process easier and repeatable in the future is to copy the default configuration file from \/etc\/ssl\/openssl.cnf to a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[7,18,29,26],"tags":[],"_links":{"self":[{"href":"https:\/\/wp.fbcs.co.uk\/wp-json\/wp\/v2\/posts\/1252"}],"collection":[{"href":"https:\/\/wp.fbcs.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wp.fbcs.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wp.fbcs.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wp.fbcs.co.uk\/wp-json\/wp\/v2\/comments?post=1252"}],"version-history":[{"count":12,"href":"https:\/\/wp.fbcs.co.uk\/wp-json\/wp\/v2\/posts\/1252\/revisions"}],"predecessor-version":[{"id":1263,"href":"https:\/\/wp.fbcs.co.uk\/wp-json\/wp\/v2\/posts\/1252\/revisions\/1263"}],"wp:attachment":[{"href":"https:\/\/wp.fbcs.co.uk\/wp-json\/wp\/v2\/media?parent=1252"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wp.fbcs.co.uk\/wp-json\/wp\/v2\/categories?post=1252"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wp.fbcs.co.uk\/wp-json\/wp\/v2\/tags?post=1252"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\r\n[req]\r\n...\r\nx509_extensions = v3_ca<\/pre>\n
\r\n[v3_ca]\r\n...\r\nsubjectAltName = @alt_names\r\n[alt_names]\r\nDNS.1 = example.com\r\nDNS.2 = www.example.com\r\nDNS.3 = example.co.uk\r\nDNS.4 = www.example.co.uk<\/pre>\n
\r\nIP.1 = 192.168.1.1\r\nIP.2 = 192.168.69.14<\/pre>\n
\r\nopenssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout project.key -out project.crt -config ~\/project-openssl.cnf\r\ncp project.crt \/etc\/ssl\/localcerts\/\r\nmv project.key \/etc\/ssl\/private\/<\/pre>\n
\r\nopenssl x509 -in project.crt -text -noout | less<\/pre>\n
\n\tAlternative approach
\n<\/h3>\n\r\nopenssl x509 -req -days 3650 -in project.csr -signkey project.key\r\n -out project.crt v3_req -extfile project-openssl.cnf<\/pre>\n
\n\tReferences:
\n<\/h3>\n\n