Here are logs when generating a self signed certificate which supports subject alternative name (SAN)
# dpkg -l openssl
ii openssl 1.0.1f-1ubuntu amd64 Secure Sockets Layer toolkit - cryptograp
|
At first, edit openssl.cnf.
Where is openssl.cnf ?
# locate openssl.cnf
/etc/ssl/openssl.cnf
/usr/lib/ssl/openssl.cnf
|
Change the directory.
# cd /etc/ssl/
# cp openssl.cnf openssl.cnf.org
|
edit openssl.cnf
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
req_extensions = v3_req
attributes = req_attributes
|
edit openssl.cnf
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.foo.com
DNS.2 = www.bar.org
DNS.3 = www.foobar.net
|
generate a private key
# openssl genrsa -out ssl_san.key 2048
Generating RSA private key, 2048 bit long modulus
..................................................................................+++
.................+++
e is 65537 (0x10001)
|
generate the CSR.
specify “www.foo.com” as common name
# openssl req -new -out ssl_san.csr -key ssl_san.key -config /etc/ssl/openssl.cnf
# openssl req -new -out ssl_san.csr -key ssl_san.key -config /etc/ssl/openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.foo.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
|
dump the CSR info.
# openssl req -text -noout -in ssl_san.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=www.foo.com
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:www.foo.com, DNS:www.bar.org, DNS:www.foobar.net
|
create the self-signed certificate.
# openssl x509 -req -days 365 -in ssl_san.csr -signkey ssl_san.key -out ssl_san.crt -extensions v3_req -extfile /etc/ssl/openssl.cnf
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=www.foo.com
Getting Private key
|
dump the cert info.
# openssl x509 -text -in ssl_san.crt
# openssl x509 -text -in ssl_san.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 14707573325970862199 (0xcc1bcc041280f077)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=www.foo.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:www.foo.com, DNS:www.bar.org, DNS:www.foobar.net
|
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.