Generate a CSR using Subject Alternative Names on RHEL / CentOS 5.6

This how-to has to deal with SSL and something called Subject Alternative Names. When a normal SSL certificate is generated its usually for one host for example https://www.domain.com. The problem with this is that you cannot use the same certificate for say ftps://ftp.domain.com. The mismatch between the hostnames ‘www’ vs ‘ftp’ would cause issues validating the certificate if it were installed on ftp.domain.com.

There are two ways around this, The first way is you can create a wildcard certificate, which you can use for any host like www and ftp and mail.domain.com. As this certificate works for ANY hostname under your domain, there are obvious security risks.

The second way around and more secure way to do this is to use a certificate that has Subject Alternative Names enabled. This option allows you specify what hostnames the certificate is valid for and its only valid for those hosts.

Here is how you generate a CSR using Subject alternative names on RHEL / CentOS 5.6

Step 1 – Add SAN info into a copy of /etc/pki/tls/openssl.cnf

cp /etc/pki/tls/openssl.cnf ~/openssl-copy.cnf

edit ~/openssl-copy.cnf using your favorite editor, like vim or pico.

vi ~/openssl-copy.cnf

Add the following to the bottom of the [ v3_req ] section:

subjectAltName=DNS:othername.domain.com

And then uncomment the following line:

# req_extensions = v3_req # The extensions to add to a certificate request

So it looks like :

req_extensions = v3_req # The extensions to add to a certificate request

Save and exit your file.

:wq

Step 2 – Generate Key

openssl genrsa -des3 -out www.domain.com.key 2048

Step 3 – Generate CSR using SAN enabled cnf file.

OPENSSL_CONF=/etc/pki/tls/openssl-copy.cnf openssl req -new -key www.domain.com.key -out www.domain.com.csr

Step 4 – Check your CSR using the CSR Decoder at sslshoper.com. Make sure the SAN looks like you want it.

Step 5 – Submit CSR to CA and get certificate.

Step 6 – Install Certificate, Key and CA certificates on your web server.


Posted

in

, , ,

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *