Post

Creating SAN Certificates with OpenSSL

Posted Updated
By Tino
3 min read

Creating SAN Certificates with OpenSSL

I use this every time I need to create a certificate signing request (CSR) for SAN certificates and single-name certificates. This works for both

We will use server01-san_cert.cnf for the config file, use whatever name makes sense for you

I copy the code below into a new file, named for the server/service I am creating the CSR for.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

[req]
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext

[req_distinguished_name]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (eg, city)
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (eg, your name or your server\'s hostname)
emailAddress                    = Email Address

[req_ext]
subjectAltName = @alt_names

[alt_names]
IP.1 = 192.0.2.25
DNS.1 = servername.fqdn.com
DNS.2 = friendlyname.fqdn.com

Adding an updated, x509v3 configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

[req]
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_ext
x509_extensions = usr_cert

[req_distinguished_name]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (eg, city)
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (eg, your name or your server\'s hostname)
OU                    		  = Organizational Unit

[v3_ext]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = client, server, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[alt_names]
DNS.1 = servername.fqdn.com
DNS.2 = friendlyname.fqdn.com
IP.1 = 192.0.2.25

Next, use openssl to generate the CSR and KEY pair, using the config file

1

openssl req -new -config server01-san_cert.cnf -out server01_cert.csr -keyout server01_priv.key

Note: Save the passphrase used for encryption, you might need it later

You should get prompted for the certificate information, like below

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

Generating a RSA private key
.............................................................+++++
...+++++
writing new private key to 'server01_priv.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:California
Locality Name (eg, city) []:San Diego
Organizational Unit Name (eg, section) []:NotARealCompany
Common Name (eg, your name or your server's hostname) []:server01.example.com
Email Address []:admin@example.com

That will generate your certificate and key pair, which in our example should be

server01_cert.csr
server01_priv.key

Next, we can verify that the CSR contains the alternate names we configured by running the following

1
2
3

openssl req -noout -text -in server01_cert.csr | grep -A 1 "Subject Alternative Name"
X509v3 Subject Alternative Name:
    IP Address:10.1.1.1, IP Address:10.1.1.2, IP Address:10.1.1.3, DNS:server01a.example.com, DNS:server01b.example.com

And that’s it. Go ahead and use that CSR to generate a certificate with your CA and then use the certificate and key (that you generated) to install onto a server or service.

Converting an ENCRYPTED PRIVATE KEY to a PRIVATE KEY (not encrypted

This is something that I had to do recently, for the first time, and it is definetly worth making note of for the future. If the application that you are generating and configuring the certificate for, requires that the private key not be encrypted (hopefully the documentation mentions it), then this is how you would do it.

The private key generated by the steps above is encrypted using the passphrase you provided (make sure to save that). You can use the same passphrease with the following command to do the conversion

1

openssl rsa -in encrypted_priv.key -out notencrypted_priv.key

You will be asked for the passphrase - again, same passphrase you used to generate the original cert - and it will convert it.

-eof-

Linux
linux cmd server openssl certificates snippet
This post is licensed under CC BY 4.0 by the author.