This how-to has to deal with SSL and something called Subject Alternative Names. When a normal SSL certificate is generated its usually for one host for example https://www.domain.com. The problem with this is that you cannot use the same certificate for say ftps://ftp.domain.com. The mismatch between the hostnames ‘www’ vs ‘ftp’ would cause issues validating the certificate if it were installed on ftp.domain.com.
There are two ways around this, The first way is you can create a wildcard certificate, which you can use for any host like www and ftp and mail.domain.com. As this certificate works for ANY hostname under your domain, there are obvious security risks.
The second way around and more secure way to do this is to use a certificate that has Subject Alternative Names enabled. This option allows you specify what hostnames the certificate is valid for and its only valid for those hosts.
Here is how you generate a CSR using Subject alternative names on RHEL / CentOS 5.6
Step 1 – Add SAN info into a copy of /etc/pki/tls/openssl.cnf
cp /etc/pki/tls/openssl.cnf ~/openssl-copy.cnf
edit ~/openssl-copy.cnf using your favorite editor, like vim or pico.
vi ~/openssl-copy.cnf
Add the following to the bottom of the [ v3_req ] section:
subjectAltName=DNS:othername.domain.com
And then uncomment the following line:
# req_extensions = v3_req # The extensions to add to a certificate request
So it looks like :
req_extensions = v3_req # The extensions to add to a certificate request
Save and exit your file.
:wq
Step 2 – Generate Key
openssl genrsa -des3 -out www.domain.com.key 2048
Step 3 – Generate CSR using SAN enabled cnf file.
OPENSSL_CONF=/etc/pki/tls/openssl-copy.cnf openssl req -new -key www.domain.com.key -out www.domain.com.csr
Step 4 – Check your CSR using the CSR Decoder at sslshoper.com. Make sure the SAN looks like you want it.
Step 5 – Submit CSR to CA and get certificate.
Step 6 – Install Certificate, Key and CA certificates on your web server.
Leave a Reply