openssl subject alternative name Tutorial for Creating Secure Server Certificates

Author

Reads 801

Smart home wireless network router device
Credit: pexels.com, Smart home wireless network router device

Creating a secure server certificate with OpenSSL involves specifying the Subject Alternative Name (SAN) extension. This extension is crucial for enabling multiple domain names to be associated with a single certificate.

The SAN extension can be specified in the OpenSSL configuration file or directly on the command line when generating the certificate request. For example, you can add the following lines to your OpenSSL configuration file to specify the SAN extension: `subjectAltName = DNS:example.com, DNS:www.example.com`.

Each SAN entry must be separated by a comma and enclosed in quotes. The DNS: prefix is used to specify a domain name.

The SAN extension can be used to specify multiple domain names, such as example.com, www.example.com, and blog.example.com. This allows a single certificate to be used for multiple websites.

Expand your knowledge: Cannot Load Such File Openssl

Creating Certificates with OpenSSL

You can generate a Certificate Signing Request (CSR) with Alternative Names using a one-liner command with OpenSSL.

To do this, you need to specify all the common subject entries, including the Common Name (CN), Country (C), State (ST), City (L), Organization (O), Organization Unit (OU), and emailAddress. You also need to add the subjectAltName field and specify the DNS names you want to include.

Credit: youtube.com, OpenSSL: how to generate a CSR with interactively solicited Subject Alternative Names (SANs)?

Here's an example of how to generate a CSR that covers *.your-new-domain.com and your-new-domain.com in one command:

openssl req -new -newkey rsa:2048 -nodes -keyout your-new-domain.com.key -out your-new-domain.com.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=your-new-domain.com/[email protected]" -config <(cat san.cnf <

[req]

prompt=no

distinguished_name = dn_details

[dn_details]

C=US

ST=State

L=City

O=Organization

OU=Unit

CN=your-new-domain.com

subjectAltName=DNS:your-new-domain.com,DNS:*.your-new-domain.com

EOF

)

You can also use the -sha256 option to enable SHA256 signing instead of the old SHA1.

Here's a list of the common subject entries you'll need:

  • C - Country
  • ST - State
  • L - City
  • O - Organization
  • OU - Organization Unit
  • CN - Common Name (eg: the main domain the certificate should cover)
  • emailAddress - main administrative point of contact for the certificate

Subject Alternative Name

The Subject Alternative Name (SAN) extension allows various literal values to be included in the configuration file, such as email addresses, URI, DNS domain names, and IP addresses.

You can include a special 'copy' value in the email option to automatically include email addresses contained in the certificate subject name in the extension.

The IP address used in the IP options can be in either IPv4 or IPv6 format.

To generate a certificate with SAN extension using OpenSSL, you need to create a config first, which can include the IP address and other desired values.

For your interest: Alternative Email Addresses

Credit: youtube.com, What is the SSL Certificate Subject Alternative Name?

You can add additional IP addresses and hostnames in this section, making it easy to include multiple values.

The subject alternative name extension allows identities to be bound to the subject of the certificate, including Internet electronic mail addresses, DNS names, IP addresses, and Uniform Resource Identifiers (URI).

SAN can be used to issue certificates not only for multiple hostnames, but also for IP addresses.

There is no guarantee that a specific implementation will process a given extension, so it's essential to use certificates responsibly.

You should use the DER and ASN1 options with caution, as it's possible to create totally invalid extensions if they are not used carefully.

If an extension is multi-value and a field value must contain a comma, the long form must be used to avoid misinterpretation.

Certificate Configuration

To generate a certificate with a Subject Alternative Name (SAN) extension, you'll need to create a configuration file. This is done by creating a text file with a specific format, such as san.cnf.

In this file, you'll specify the IP address and optionally additional IP addresses and hostnames. This is where the magic happens, and the certificate is configured with the desired SAN extension.

The configuration file is then passed to OpenSSL, which generates a certificate with a private key.

Broaden your view: Openssl San

Create CSRF Configuration File

Person holding tablet with VPN connection screen for secure internet browsing.
Credit: pexels.com, Person holding tablet with VPN connection screen for secure internet browsing.

To create a CSRF configuration file, you'll need to create a configuration file that will be used to generate the CSR. This file is typically named synology-1512.cnf and can be created using the text editor of your choice.

The name of the configuration file is specified as synology-1512.cnf, which is a crucial detail to note.

This file is a crucial step in the process of generating a CSR, and its name is directly referenced in the example provided.

The configuration file is used to generate the CSR, and it's essential to have it ready before proceeding with the next steps.

Curious to learn more? Check out: Openssl to Create Certificate

Issuer Name

The issuer alternative name option is a convenient feature that supports all the literal options of subject alternative name.

You can use it to specify alternative names for the issuer, such as URLs or DNS names.

The issuer alternative name option does not support the email:copy option because it wouldn't make sense in this context.

However, it does support an additional issuer:copy option that will copy all the subject alternative name values from the issuer certificate, if possible.

This can be a huge time-saver if you need to duplicate a lot of information from the issuer certificate.

Readers also liked: Html Email Subject

OpenSSl CSR

Credit: youtube.com, How to create CSR for multiple domains (SAN - Subject Alternative Name) using OpenSSL ?

To generate a Certificate Signing Request (CSR) with OpenSSL, you need to use a specific syntax that includes the subjectAltName field. This field allows you to specify multiple hostnames or IP addresses that the certificate should cover.

Here's an example of how to generate a CSR with multiple hostnames: openssl req -new -newkey rsa:2048 -keyout mydomain.key -out mydomain.csr -subj "/C=US/ST=State/L=Locality/O=Organization/CN=mydomain.com/[email protected]" -config <(cat /path/to/openssl.cnf <(echo "[req]" <

distinguished_name = dn_details

req_extensions = v3_req

EOF

)) -extensions v3_req -reqexts v3_req -config /path/to/openssl.cnf

You can add as many DNS.n entries under the subjectAltName field as you want, separated by commas. For example, to cover both www.example.com and example.com, you would add DNS.1 = example.com and DNS.2 = www.example.com.

Here's a list of the common Subject entries you'll need to specify:

  • C — Country
  • ST — State
  • L — City
  • O — Organization
  • OU — Organization Unit
  • CN — Common Name (eg: the main domain the certificate should cover)
  • emailAddress — main administrative point of contact for the certificate

Make sure to use the -sha256 option to enable SHA256 signing instead of the old SHA1 algorithm, which is now deprecated.

Cora Stoltenberg

Junior Writer

Cora Stoltenberg is a skilled writer with a passion for crafting engaging content on a wide range of topics. Her expertise spans various categories, including Search Engine Optimization (SEO) Strategies, where she provides actionable tips and insights to help businesses improve their online presence. With a keen eye for detail and a knack for simplifying complex concepts, Cora's writing is both informative and accessible to readers of all levels.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.