
Creating a self-signed certificate using OpenSSL fulfills basic in-house need for an organization. There might be a need to use one certificate with multiple subject alternative names(SAN). This article explains a simple procedure to Create a Self-Signed SAN(Subject Alternate Name) Certificate Using OpenSSL.
Topic
-
How to create SAN(Subject Alternate Name) Certificate Using OpenSSL?
-
How to use one SSL certificate for multiple domains or sub-domains?
-
Create a self-signed openssl SAN based certificate for multiple domains or sub-domains
-
Create OpenSSL SAN(Subject Alternate Name) Certificate on Linux|Centos|Ubuntu|Debian|RHEL?
Solution
Create an OpenSSL configuration file like below on the local computer by editing required the fields according to your need. In the following example we use domain name as www.testdomain.com and SAN as host1.testdomain.com –> host3.testdomain.com.
$ cat req.conf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = Dallas
L = Vertican
O = CA Organization
OU = Vertican
CN = www.testdomain.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = host1.testdomain.com
DNS.2 = host2.testdomain.com
DNS.3 = host3.testdomain.com
Execute the following command to create the self-signed certificate using the above req.conf file. The new certificate will be valid for 1000 days.
openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout key.pem -out cert.pem -config req.conf -extensions 'v3_req'
Output of the above command will generate two files. 1) key.pem and 2) cert.pem which we can integrate in the application or web server.
If there is a need to set password to the private key:
- Create a private key first
# openssl genrsa -des3 -out key.pem 1024
Generating RSA private key, 1024 bit long modulus
...................................++++++
......................................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
- Create the self signed SAN certificate using the above key.pem and req.conf file.
# openssl req -x509 -nodes -days 1000 -key key.pem -out cert.pem -config req.conf -extensions 'v3_req'
Enter pass phrase for key.pem:
OpenSSL Certificate or Key validation
-
Check OpenSSL certificate content
# openssl x509 -in cert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: a0:d6:6a:b4:99:ea:17:e2 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Dallas, L=Vertican, O=CA Organization, OU=Vertican, CN=www.testdomain.com Validity Not Before: Nov 8 12:02:09 2019 GMT Not After : Aug 4 12:02:09 2022 GMT Subject: C=US, ST=Dallas, L=Vertican, O=CA Organization, OU=Vertican, CN=www.testdomain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c6:ee:78:f6:87:02:bd:4c:49:09:4b:d0:14:7e: 62:dc:fa:93:ab:44:5c:ff:e4:67:7d:26:51:dc:ef: 73:34:23:e9:07:e7:7f:24:d1:ce:48:25:0a:5c:f9: 69:b3:1f:c7:f6:f0:6c:c0:50:2b:3c:78:4d:56:d3: a2:66:34:13:46:83:55:98:b2:e6:a5:99:90:4f:c2: c5:21:0e:39:9c:96:bf:90:4b:b7:88:58:55:49:5c: 0a:d9:43:5b:9d:04:d9:16:1e:14:2f:15:22:65:1a: cb:e7:18:d1:ec:9d:c8:be:9e:d4:6e:fc:9e:39:ac: 02:b6:18:78:7c:f5:00:0b:bb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:host1.testdomain.com, DNS:host2.testdomain.com, DNS:host3.testdomain.com Signature Algorithm: sha256WithRSAEncryption af:94:3a:f5:32:42:1c:0c:ae:6d:61:98:0a:ec:e3:73:60:d5: 42:73:3d:73:3a:c1:6e:d9:da:45:04:79:15:a3:02:8b:8f:3e: 6a:2e:4f:db:da:a0:db:69:24:6e:a6:77:4e:46:14:18:6c:dc: 05:a0:56:3b:c5:36:42:12:10:fa:31:3c:cb:20:dc:ee:ad:22: 68:ea:5e:fa:97:1a:94:46:d7:9f:fe:86:98:22:1c:fc:f7:fb: a1:dd:bc:a9:51:8f:e4:52:d1:d2:63:76:59:2c:20:a2:83:de: d1:3c:91:6b:22:d8:36:14:7c:52:76:39:7f:95:a8:ce:08:2f: 34:aa
-
Check OpenSSL key content
# openssl rsa -in key.pem -noout -text
Enter pass phrase for key.pem:
Private-Key: (1024 bit)
modulus:
00:c6:ee:78:f6:87:02:bd:4c:49:09:4b:d0:14:7e:
62:dc:fa:93:ab:44:5c:ff:e4:67:7d:26:51:dc:ef:
73:34:23:e9:07:e7:7f:24:d1:ce:48:25:0a:5c:f9:
69:b3:1f:c7:f6:f0:6c:c0:50:2b:3c:78:4d:56:d3:
a2:66:34:13:46:83:55:98:b2:e6:a5:99:90:4f:c2:
c5:21:0e:39:9c:96:bf:90:4b:b7:88:58:55:49:5c:
0a:d9:43:5b:9d:04:d9:16:1e:14:2f:15:22:65:1a:
cb:e7:18:d1:ec:9d:c8:be:9e:d4:6e:fc:9e:39:ac:
02:b6:18:78:7c:f5:00:0b:bb
publicExponent: 65537 (0x10001)
privateExponent:
79:be:80:30:ff:b7:61:7a:4a:48:72:29:4a:21:7f:
07:96:22:c1:71:f9:28:71:f4:13:d7:5b:ca:46:90:
ce:9c:1b:85:46:db:bd:00:d9:a9:b5:61:7e:3c:f5:
bf:35:f7:fe:dc:6c:f1:d5:1e:60:c7:8f:2d:50:1f:
d7:44:8f:76:46:76:9e:9a:e1:7b:ed:05:fc:ad:86:
fd:7e:39:84:9b:50:02:1a:f9:71:fe:79:6e:d1:7b:
61:a2:7f:31:57:09:6b:14:44:52:ac:b4:54:ab:b8:
33:f3:36:52:86:0c:79:3e:1b:a2:70:b2:ee:14:82:
64:18:91:da:59:83:55:61
[........]
Nice Article.
Awesome Article.
Lovely article.
Very Nice Article.
Super time saving article and easily understandable.