Create a Self-Signed SAN(Subject Alternate Name) Certificate Using OpenSSL

Openssl Certificate

Creating a self-signed certificate using OpenSSL fulfills basic in-house need for an organization. There might be a need to use one certificate with multiple subject alternative names(SAN). This article explains a simple procedure to Create a Self-Signed SAN(Subject Alternate Name) Certificate Using OpenSSL.


Topic

  • How to create SAN(Subject Alternate Name) Certificate Using OpenSSL?
  • How to use one SSL certificate for multiple domains or sub-domains?
  • Create a self-signed openssl SAN based certificate for multiple domains or sub-domains
  • Create OpenSSL SAN(Subject Alternate Name) Certificate on Linux|Centos|Ubuntu|Debian|RHEL?



Solution


Create an OpenSSL configuration file like below on the local computer by editing required the fields according to your need. In the following example we use domain name as www.testdomain.com and SAN as host1.testdomain.com –> host3.testdomain.com.

$ cat req.conf

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = Dallas
L = Vertican
O = CA Organization
OU = Vertican
CN = www.testdomain.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = host1.testdomain.com
DNS.2 = host2.testdomain.com
DNS.3 = host3.testdomain.com

Execute the following command to create the self-signed certificate using the above req.conf file. The new certificate will be valid for 1000 days.

openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout key.pem -out cert.pem -config req.conf -extensions 'v3_req'

Output of the above command will generate two files. 1) key.pem and 2) cert.pem which we can integrate in the application or web server.

If there is a need to set password to the private key:
  • Create a private key first
# openssl genrsa -des3 -out key.pem 1024
Generating RSA private key, 1024 bit long modulus
...................................++++++
......................................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

  • Create the self signed SAN certificate using the above key.pem and req.conf file.
# openssl req -x509 -nodes -days 1000 -key key.pem -out cert.pem -config req.conf -extensions 'v3_req'
Enter pass phrase for key.pem:


OpenSSL Certificate or Key validation

  • Check OpenSSL certificate content
    # openssl x509 -in cert.pem -noout -text
    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a0:d6:6a:b4:99:ea:17:e2
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Dallas, L=Vertican, O=CA Organization, OU=Vertican, CN=www.testdomain.com
        Validity
            Not Before: Nov  8 12:02:09 2019 GMT
            Not After : Aug  4 12:02:09 2022 GMT
        Subject: C=US, ST=Dallas, L=Vertican, O=CA Organization, OU=Vertican, CN=www.testdomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c6:ee:78:f6:87:02:bd:4c:49:09:4b:d0:14:7e:
                    62:dc:fa:93:ab:44:5c:ff:e4:67:7d:26:51:dc:ef:
                    73:34:23:e9:07:e7:7f:24:d1:ce:48:25:0a:5c:f9:
                    69:b3:1f:c7:f6:f0:6c:c0:50:2b:3c:78:4d:56:d3:
                    a2:66:34:13:46:83:55:98:b2:e6:a5:99:90:4f:c2:
                    c5:21:0e:39:9c:96:bf:90:4b:b7:88:58:55:49:5c:
                    0a:d9:43:5b:9d:04:d9:16:1e:14:2f:15:22:65:1a:
                    cb:e7:18:d1:ec:9d:c8:be:9e:d4:6e:fc:9e:39:ac:
                    02:b6:18:78:7c:f5:00:0b:bb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:host1.testdomain.com, DNS:host2.testdomain.com, DNS:host3.testdomain.com
    Signature Algorithm: sha256WithRSAEncryption
         af:94:3a:f5:32:42:1c:0c:ae:6d:61:98:0a:ec:e3:73:60:d5:
         42:73:3d:73:3a:c1:6e:d9:da:45:04:79:15:a3:02:8b:8f:3e:
         6a:2e:4f:db:da:a0:db:69:24:6e:a6:77:4e:46:14:18:6c:dc:
         05:a0:56:3b:c5:36:42:12:10:fa:31:3c:cb:20:dc:ee:ad:22:
         68:ea:5e:fa:97:1a:94:46:d7:9f:fe:86:98:22:1c:fc:f7:fb:
         a1:dd:bc:a9:51:8f:e4:52:d1:d2:63:76:59:2c:20:a2:83:de:
         d1:3c:91:6b:22:d8:36:14:7c:52:76:39:7f:95:a8:ce:08:2f:
         34:aa
  • Check OpenSSL key content
# openssl rsa -in key.pem -noout -text
Enter pass phrase for key.pem:
Private-Key: (1024 bit)
modulus:
    00:c6:ee:78:f6:87:02:bd:4c:49:09:4b:d0:14:7e:
    62:dc:fa:93:ab:44:5c:ff:e4:67:7d:26:51:dc:ef:
    73:34:23:e9:07:e7:7f:24:d1:ce:48:25:0a:5c:f9:
    69:b3:1f:c7:f6:f0:6c:c0:50:2b:3c:78:4d:56:d3:
    a2:66:34:13:46:83:55:98:b2:e6:a5:99:90:4f:c2:
    c5:21:0e:39:9c:96:bf:90:4b:b7:88:58:55:49:5c:
    0a:d9:43:5b:9d:04:d9:16:1e:14:2f:15:22:65:1a:
    cb:e7:18:d1:ec:9d:c8:be:9e:d4:6e:fc:9e:39:ac:
    02:b6:18:78:7c:f5:00:0b:bb
publicExponent: 65537 (0x10001)
privateExponent:
    79:be:80:30:ff:b7:61:7a:4a:48:72:29:4a:21:7f:
    07:96:22:c1:71:f9:28:71:f4:13:d7:5b:ca:46:90:
    ce:9c:1b:85:46:db:bd:00:d9:a9:b5:61:7e:3c:f5:
    bf:35:f7:fe:dc:6c:f1:d5:1e:60:c7:8f:2d:50:1f:
    d7:44:8f:76:46:76:9e:9a:e1:7b:ed:05:fc:ad:86:
    fd:7e:39:84:9b:50:02:1a:f9:71:fe:79:6e:d1:7b:
    61:a2:7f:31:57:09:6b:14:44:52:ac:b4:54:ab:b8:
    33:f3:36:52:86:0c:79:3e:1b:a2:70:b2:ee:14:82:
    64:18:91:da:59:83:55:61
[........]

Verify if the certificate matches the private key using the following article:

You May Also Like

avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

4 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *