Create a Self-Signed SAN(Subject Alternate Name) Certificate Using OpenSSL

Creating a self-signed certificate using OpenSSL fulfills basic in-house need for an organization. There might be a need to use one certificate with multiple subject alternative names(SAN). This article explains a simple procedure to Create a Self-Signed SAN(Subject Alternate Name) Certificate Using OpenSSL.

Topic

• How to create SAN(Subject Alternate Name) Certificate Using OpenSSL?

• How to use one SSL certificate for multiple domains or sub-domains?

• Create a self-signed openssl SAN based certificate for multiple domains or sub-domains

• Create OpenSSL SAN(Subject Alternate Name) Certificate on Linux|Centos|Ubuntu|Debian|RHEL?

Solution

Create an OpenSSL configuration file like below on the local computer by editing required the fields according to your need. In the following example we use domain name as www.testdomain.com and SAN as host1.testdomain.com –> host3.testdomain.com.

$ cat req.conf

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = Dallas
L = Vertican
O = CA Organization
OU = Vertican
CN = www.testdomain.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = host1.testdomain.com
DNS.2 = host2.testdomain.com
DNS.3 = host3.testdomain.com

Execute the following command to create the self-signed certificate using the above req.conf file. The new certificate will be valid for 1000 days.

openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout key.pem -out cert.pem -config req.conf -extensions 'v3_req'

Output of the above command will generate two files. 1) key.pem and 2) cert.pem which we can integrate in the application or web server.

If there is a need to set password to the private key:

• Create a private key first

# openssl genrsa -des3 -out key.pem 1024
Generating RSA private key, 1024 bit long modulus
...................................++++++
......................................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

• Create the self signed SAN certificate using the above key.pem and req.conf file.

# openssl req -x509 -nodes -days 1000 -key key.pem -out cert.pem -config req.conf -extensions 'v3_req'
Enter pass phrase for key.pem:

OpenSSL Certificate or Key validation

• Check OpenSSL certificate content

  # openssl x509 -in cert.pem -noout -text
  Certificate:
  Data:
      Version: 3 (0x2)
      Serial Number:
          a0:d6:6a:b4:99:ea:17:e2
  Signature Algorithm: sha256WithRSAEncryption
      Issuer: C=US, ST=Dallas, L=Vertican, O=CA Organization, OU=Vertican, CN=www.testdomain.com
      Validity
          Not Before: Nov  8 12:02:09 2019 GMT
          Not After : Aug  4 12:02:09 2022 GMT
      Subject: C=US, ST=Dallas, L=Vertican, O=CA Organization, OU=Vertican, CN=www.testdomain.com
      Subject Public Key Info:
          Public Key Algorithm: rsaEncryption
              Public-Key: (1024 bit)
              Modulus:
                  00:c6:ee:78:f6:87:02:bd:4c:49:09:4b:d0:14:7e:
                  62:dc:fa:93:ab:44:5c:ff:e4:67:7d:26:51:dc:ef:
                  73:34:23:e9:07:e7:7f:24:d1:ce:48:25:0a:5c:f9:
                  69:b3:1f:c7:f6:f0:6c:c0:50:2b:3c:78:4d:56:d3:
                  a2:66:34:13:46:83:55:98:b2:e6:a5:99:90:4f:c2:
                  c5:21:0e:39:9c:96:bf:90:4b:b7:88:58:55:49:5c:
                  0a:d9:43:5b:9d:04:d9:16:1e:14:2f:15:22:65:1a:
                  cb:e7:18:d1:ec:9d:c8:be:9e:d4:6e:fc:9e:39:ac:
                  02:b6:18:78:7c:f5:00:0b:bb
              Exponent: 65537 (0x10001)
      X509v3 extensions:
          X509v3 Key Usage: 
              Key Encipherment, Data Encipherment
          X509v3 Extended Key Usage: 
              TLS Web Server Authentication
          X509v3 Subject Alternative Name: 
              DNS:host1.testdomain.com, DNS:host2.testdomain.com, DNS:host3.testdomain.com
  Signature Algorithm: sha256WithRSAEncryption
       af:94:3a:f5:32:42:1c:0c:ae:6d:61:98:0a:ec:e3:73:60:d5:
       42:73:3d:73:3a:c1:6e:d9:da:45:04:79:15:a3:02:8b:8f:3e:
       6a:2e:4f:db:da:a0:db:69:24:6e:a6:77:4e:46:14:18:6c:dc:
       05:a0:56:3b:c5:36:42:12:10:fa:31:3c:cb:20:dc:ee:ad:22:
       68:ea:5e:fa:97:1a:94:46:d7:9f:fe:86:98:22:1c:fc:f7:fb:
       a1:dd:bc:a9:51:8f:e4:52:d1:d2:63:76:59:2c:20:a2:83:de:
       d1:3c:91:6b:22:d8:36:14:7c:52:76:39:7f:95:a8:ce:08:2f:
       34:aa

• Check OpenSSL key content

# openssl rsa -in key.pem -noout -text
Enter pass phrase for key.pem:
Private-Key: (1024 bit)
modulus:
    00:c6:ee:78:f6:87:02:bd:4c:49:09:4b:d0:14:7e:
    62:dc:fa:93:ab:44:5c:ff:e4:67:7d:26:51:dc:ef:
    73:34:23:e9:07:e7:7f:24:d1:ce:48:25:0a:5c:f9:
    69:b3:1f:c7:f6:f0:6c:c0:50:2b:3c:78:4d:56:d3:
    a2:66:34:13:46:83:55:98:b2:e6:a5:99:90:4f:c2:
    c5:21:0e:39:9c:96:bf:90:4b:b7:88:58:55:49:5c:
    0a:d9:43:5b:9d:04:d9:16:1e:14:2f:15:22:65:1a:
    cb:e7:18:d1:ec:9d:c8:be:9e:d4:6e:fc:9e:39:ac:
    02:b6:18:78:7c:f5:00:0b:bb
publicExponent: 65537 (0x10001)
privateExponent:
    79:be:80:30:ff:b7:61:7a:4a:48:72:29:4a:21:7f:
    07:96:22:c1:71:f9:28:71:f4:13:d7:5b:ca:46:90:
    ce:9c:1b:85:46:db:bd:00:d9:a9:b5:61:7e:3c:f5:
    bf:35:f7:fe:dc:6c:f1:d5:1e:60:c7:8f:2d:50:1f:
    d7:44:8f:76:46:76:9e:9a:e1:7b:ed:05:fc:ad:86:
    fd:7e:39:84:9b:50:02:1a:f9:71:fe:79:6e:d1:7b:
    61:a2:7f:31:57:09:6b:14:44:52:ac:b4:54:ab:b8:
    33:f3:36:52:86:0c:79:3e:1b:a2:70:b2:ee:14:82:
    64:18:91:da:59:83:55:61
[........]

Verify if the certificate matches the private key using the following article:

• Certificate Validation or Verification