Scribd
Upload
79 views2 pages

How To Generate A San (Subject Alternative Names) SSL CSR With Openssl

This document provides instructions for generating a SSL certificate signing request (CSR) with Subject Alternative Names (SANs) using OpenSSL. It explains that a SAN allows a single certificate to be valid for multiple domain names. It then outlines the steps to configure an OpenSSL configuration file with the domains and certificate details, generate a private key, and use those to create the CSR to send to a certificate authority for signing. The key steps are: 1) Create an OpenSSL configuration file with domains in the SAN and certificate fields; 2) Generate a 2048-bit private key; 3) Use the configuration file and private key to generate the CSR.

Uploaded by

Denis Alberto Rodríguez González
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
79 views2 pages

How To Generate A San (Subject Alternative Names) SSL CSR With Openssl

This document provides instructions for generating a SSL certificate signing request (CSR) with Subject Alternative Names (SANs) using OpenSSL. It explains that a SAN allows a single certificate to be valid for multiple domain names. It then outlines the steps to configure an OpenSSL configuration file with the domains and certificate details, generate a private key, and use those to create the CSR to send to a certificate authority for signing. The key steps are: 1) Create an OpenSSL configuration file with domains in the SAN and certificate fields; 2) Generate a 2048-bit private key; 3) Use the configuration file and private key to generate the CSR.

Uploaded by

Denis Alberto Rodríguez González
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

HOW TO generate a SAN (Subject Alternative Names)

SSL CSR with OpenSSL

T here is a cool SSLv3 protocol extension that’s called SAN (Subject Alternative Names). With
this extension you can create a single SSL X509 certificate that is valid for several domain
names, instead of a classic certificate that’s valid for one domain name only.

You can ofcourse create this kind of certificate with OpenSSL. We are now going to see how to do
that. Fist you have to create a file called openssl.cnf and put it for example into a temporary dir.
The file should begin with:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

This is to enable SSLv3 req extensions.


Now, you have to add your custom informations to the openssl.cnf file: those informations will be
reflected on the next steps.
Add something like this to openssl.cnf:

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = IT
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Italy
localityName = Locality Name (eg, city)
localityName_default = Rome
organizationName = Organization name
organizationName_default = My company name Srl
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = System Techies
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40

The informations above are used by the “openssl req” command to ask you data to generate
your certificate request. Then, add this block of informations into the openssl.cnf file:

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment,
dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
Those informations will enable some extra useful things on your certificate request that will
hopefully became valid on your brand new SSLv3 certificate. For example you are requesting your
Certification Authority to release a X509 SSLv3 certificate with server and client authentication
purposes, plus other certificate goodies.

Now the cool part: this is where you are asking your CA to release a certificate with Alternative
Names (certificate valid for several domains). Append this stuff in openssl.cnf:

[alt_names]
DNS.1 = www.myfirstdomain.it
DNS.2 = myfirstdomain.it
DNS.3 = www.myalternativedomain.it
# you could also specify IP addresses like this:
# IP.1 = 192.168.25.254
# IP.2 = 192.168.43.100

OK. You are almost ready to create your CSR, but first you have to generate your private key.
NOTE that many CA are now requesting a private key of 2048 bits or more. Warned: a key of 1024
bits is not recommended!

To generate a 2048 bits private key, as usual, execute this command:

openssl genrsa -out server.key 2048

Perfect. It’s time to create the Certificate Request (PKCS#10) with SSLv3 extensions:

openssl req -new -out server.csr -key server.key -config openssl.cnf

Now, send your new server.csr file to your Certification Authority that will hopefully accept the
request and relase a valid X509 SSLv3 certificate with SAN.

Good luck and enjoy.

You might also like