Using OpenSSL to Generate SAN Certificates

Author

Reads 1.3K

Person holding tablet with VPN connection screen for secure internet browsing.
Credit: pexels.com, Person holding tablet with VPN connection screen for secure internet browsing.

OpenSSL is a powerful tool for generating SAN certificates, and it's free and open-source.

To start, you'll need to have OpenSSL installed on your system, as described in the "Installing OpenSSL" section.

A SAN certificate can have up to 100 entries, as shown in the "Understanding SAN Certificate Entries" section.

Each entry should be in the format of a fully qualified domain name, such as example.com or www.example.com.

You can use the OpenSSL command `openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/C=US/ST=State/L=Locality/O=Organization/CN=example.com" -extensions EXT -config <(cat openssl.cnf <(printf "[SAN]

subjectAltName=DNS:example.com,DNS:sub.example.com"))` to generate a SAN certificate with a single entry.

Intriguing read: Openssl Example

Certificate Basics

SSL certificates can be overwhelming, but let's break it down. A SAN Certificate, or Subject Alternative Name Certificate, is an SSL certificate that protects multiple hostnames.

SAN certificates allow you to cover multiple hostnames with a single certificate. For example, if you wanted to cover mydomain.com and www.mydomain.com with a single certificate, you would create a SAN Certificate Signing Request (CSR) with both hostnames listed.

What Is A Certificate

Credit: youtube.com, SSL Certificate Explained

A certificate is essentially a digital document that verifies the identity of a website or organization. It's like a digital ID card that proves you are who you say you are.

SSL certificates are a type of certificate that secure online communications between a website and its visitors. They use encryption to protect sensitive information like passwords and credit card numbers.

A SAN Certificate, short for Subject Alternative Name, is a type of SSL certificate that allows multiple hostnames to be protected by a single certificate. This is useful when you want to cover multiple domains with a single certificate, like mydomain.com and www.mydomain.com.

You can create a SAN Certificate Signing Request (CSR) with multiple hostnames listed, making it easier to manage your online identity.

Verifying CSR

You can verify your Certificate Signing Request (CSR) by checking if it contains the Subject Alternative Name (SAN) you specified in the san.cnf file.

It's a good idea to double-check your CSR to ensure it's accurate.

Once you're happy with your CSR, you can send it to your certificate authority to sign the certificate.

Alternatively, you can buy a certificate from an SSL store.

Certificate Creation

Credit: youtube.com, How To Generate Self-Signed Certificate with SAN using OpenSSL

Certificate creation is a crucial step in obtaining a certificate with SAN. If you're using OpenSSL 1.1.1 or higher, you can generate a self-signed certificate with SAN by using the -addext option.

To create an OpenSSL config file, you can use the 'openssl req' command. You'll be prompted to enter your account password, and then you'll be able to create the config file. The config file should contain the following information:

You can save the file with the “CTRL+X” shortcut followed by “y” when prompted to save. Next, hit “Enter” to save with the current file name.

Generate Self-Signed Certificate

To generate a self-signed certificate, you'll need to create a private key first. Enter the command "openssl genrsa -out mydomain.com.key 2048" in the terminal, replacing "mydomain.com" with your domain or hostname.

Make sure to view the .key file by typing "ls" in the command-line, which will display your current files and directories. The .key file will look similar to "mydomain.com.key" with "mydomain.com" replacing the domain or hostname you entered.

Credit: youtube.com, How to create a valid self signed SSL Certificate?

You can then use OpenSSL 1.1.1 or higher to generate a self-signed certificate with a Subject Alternative Name (SAN) by using the "-addext" parameter. Replace example.org with your domain name, and prefix IP addresses with "IP:" instead of "DNS:".

If you're using an older version of OpenSSL, you can use bash process substitution to provide an OpenSSL config file directly without saving it anywhere. In the last line, don't forget to add 'DNS:' in front of your hostname, or you'll receive a vague error message.

Create CSR with OpenSSL

To create a CSR with OpenSSL, you'll need to create an OpenSSL config file. This file will contain the details of your certificate, including your domain or hostname. You can replace "mydomain.com" with your actual domain or hostname.

The config file will have a basic text editor within Terminal where you can create it. You'll need to copy and paste the following text into the editor, replacing "mydomain.com" with your domain or hostname: "default_bits = 2048" and so on.

For another approach, see: Create Pfx from Crt and Key Openssl

Credit: youtube.com, OpenSSL Step By Step Tutorial | How to Generate Keys, Certificates & CSR Using OpenSSL

You can save the file with the "CTRL+X" shortcut followed by "y" when prompted to save. Next, hit "Enter" to save with the current file name. This will create the config file for your OpenSSL.

You can use the following OpenSSL command to generate a CSR and KEY file: "openssl req -new -key private.key -out sslcert.csr -config san.cnf". This will create sslcert.csr and private.key in the present working directory.

To create a SAN Certificate, you'll need to list additional DNS names in the "alt_names" section of the config file. For example, you can add "DNS.1 = mydomain.com" and "DNS.2 = www.mydomain.com" to the config file.

Here's a list of the required information for the config file:

  • default_bits = 2048
  • default_md = sha256
  • distinguished_name = req_distinguished_name
  • commonName = mydomain.com (If Wildcard SSL use *.yourdomain.com)
  • subjectAltName = @alt_names
  • DNS.1 = mydomain.com
  • DNS.2 = www.mydomain.com

Creating a CSR

Creating a CSR is a crucial step in obtaining a SAN certificate. To create a CSR, you'll need to replace "mydomain.com" with your domain or hostname in the OpenSSL config file.

You can create a basic text editor within Terminal using the OpenSSL command. Copy the following text and replace it with your information, including your domain or hostname and corresponding information for bolded items.

Credit: youtube.com, How to Manually Generate a Certificate Signing Request (CSR) Using OpenSSL

The text to copy is: "default_bits = 2048

default_md = sha256

distinguished_name = req_distinguished_name

commonName = mydomain.com (If Wildcard SSL use *.yourdomain.com)

subjectAltName = @alt_names

DNS.1 = mydomain.com

DNS.2 = www.mydomain.com"

Save the file with the "CTRL+X" shortcut followed by "y" when prompted to save. Next, hit "Enter" to save with the current file name.

You can also create a file named san.cnf using vi (if on Unix) with the following information:

* Save the file and execute the OpenSSL command to generate CSR and KEY file.

This will create sslcert.csr and private.key in the present working directory. You have to send sslcert.csr to certificate signer authority so they can provide you a certificate with SAN.

Here's a summary of the OpenSSL command to create a CSR with SAN:

  • Login into a server where you have OpenSSL installed
  • Go to /tmp or create any directory
  • Create a file named san.cnf with the following information

+ default_bits = 2048

+ default_md = sha256

Credit: youtube.com, How to create CSR for multiple domains (SAN - Subject Alternative Name) using OpenSSL ?

+ distinguished_name = req_distinguished_name

+ commonName = mydomain.com (If Wildcard SSL use *.yourdomain.com)

+ subjectAltName = @alt_names

+ DNS.1 = mydomain.com

+ DNS.2 = www.mydomain.com

* Save the file and execute the OpenSSL command to generate CSR and KEY file.

Note that you can add more DNS entries to the alt_names section for additional hostnames.

Troubleshooting

Firefox from 101.0 onward no longer uses certificate CN for matching domain name to certificate, and has migrated to only using SAN.

If you're experiencing issues with self-signed certificates, it's likely due to the removal of "subject common name" fallback support from certificate validation.

To resolve this, you'll need to regenerate your self-signed certificate with the SAN extension present, as it's required by the CA Browser Forum Baseline Requirements since 2012.

Problem:

Firefox has a new certificate validation rule that's causing issues for some users.

Firefox from 101.0 onward no longer uses the subject common name for matching domain names to certificates.

Hand holding smartphone displaying network analysis in high-tech server environment.
Credit: pexels.com, Hand holding smartphone displaying network analysis in high-tech server environment.

A few days ago, Firefox stopped accepting a self-signed certificate due to a lack of SAN (Subject Alternative Names).

The CA Browser Forum Baseline Requirements have required the presence of the "subjectAltName" extension since 2012.

Use of the subject common name was deprecated in RFC 2818.

If you self-sign for internal devices, you'll need to regenerate your certificate.

Solution

To troubleshoot SAN certificate issues, start by creating a san.cnf file on your local environment. This file will serve as a configuration for your SAN certificate.

When generating the CSR, reference the san.cnf config file by using the openssl req command with the -config flag. For example: openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout server-key.pem -config san.cnf

However, be aware that extensions in certificates are not transferred to certificate requests and vice versa, as mentioned in the OpenSSL documentation.

To include the Subject Alternative Name (SAN) in your certificate, you'll need to create a v3.ext file with the necessary configuration. A basic example of this file might look like this:

Generating the x.509 certificate using the -extfile v3.ext flag will include the SANs in your certificate. It's recommended to generate both the CSR and SSL certificate with their respective san.cnf and v3.ext config files for continuity.

To verify the CSR for SAN, use the openssl x509 command with the -text and -noout flags, and then pipe the output to grep to search for the Subject Alternative Name. For example: openssl x509 -text -noout -in server-cert.pem | grep -A 1 "Subject Alternative Name"

Solution

Credit: youtube.com, Unix & Linux: `openssl`: Subject Alternative Name (4 Solutions!!)

To create a Subject Alternative Name (SAN) certificate with OpenSSL, you'll need to create a configuration file, such as san.cnf, on your local environment.

This file will serve as a template for generating the Certificate Signing Request (CSR). You can create the CSR by running the command:

openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout server-key.pem -config san.cnf

This command generates the CSR referencing the san.cnf config file.

If you want to verify the SAN extension in the CSR, you can use the following command:

openssl req -noout -text -in sslcert.csr | grep DNS

However, be aware that extensions in certificates are not transferred to certificate requests and vice versa, as stated in the OpenSSL documentation.

To include the SAN extension in the x.509 certificate, you'll need to use the -extfile v3.ext flag. Here's an example of how to create the x.509 certificate:

Generate the x.509 certificate using the -extfile v3.ext flag to include SAN('s):

Credit: youtube.com, Resolving the SSLHandshakeException: No Subject Alternative Names Present

It's worth noting that if you leave the basicConstraints = CA:TRUE line in your config file, Firefox may think your cert is a CA and deny your request. Omitting this line will fix the issue.

Here's a quick rundown of the steps to create a SAN certificate:

  • Create a config file (e.g. san.cnf) on your local environment
  • Generate the CSR referencing the san.cnf config file
  • Verify the SAN extension in the CSR (if needed)
  • Generate the x.509 certificate using the -extfile v3.ext flag

To verify the SAN extension in the x.509 certificate, you can use the following command:

openssl x509 -text -noout -in server-cert.pem | grep -A 1 "Subject Alternative Name"

Willie Walsh

Junior Assigning Editor

Willie Walsh is an accomplished Assigning Editor with a keen eye for detail and a passion for delivering high-quality content. With a strong background in research and editing, Willie has honed their skills in identifying and assigning relevant topics to writers. Willie's expertise spans a wide range of categories, including technology, productivity, and education.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.