Creating a SAN Certificate with OpenSSL and a .cnf File

RonZ

June 8, 2023

In the realm of secure communication, Subject Alternative Name (SAN) certificates provide a way to secure multiple domains or subdomains with a single certificate. OpenSSL, a powerful open-source cryptographic toolkit, offers a command-line interface for generating certificates. In this tutorial, we will explore how to create a SAN certificate using OpenSSL while leveraging the flexibility of a .cnf configuration file.

Before we begin, ensure that you have OpenSSL installed on your machine. You can download OpenSSL from the official OpenSSL website and follow the installation instructions specific to your operating system.

Step 1: Create a Configuration File
Start by creating a new file called san_certificate.cnf and open it in a text editor.

Step 2: Define the Certificate Configuration Options
Within the san_certificate.cnf file, we’ll specify the desired properties for our SAN certificate. Here’s an example configuration:

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[dn]
C = US
ST = California
L = San Francisco
O = My Company
OU = IT Department
CN = www.example.com

[req_ext]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.example.com
DNS.2 = subdomain.example.com
DNS.3 = anotherdomain.com

In this example, we define the same distinguished name (DN) parameters as before. However, we’ve added the [alt_names] section, which lists the subject alternative names we want to include in the certificate. In this case, we have specified three additional DNS names, but you can customize this list according to your requirements.

Step 3: Generate the SAN Certificate
Once the configuration file is ready, open a terminal or command prompt and navigate to the directory where the san_certificate.cnf file is located.

Execute the following command to generate the SAN certificate:

openssl req -newkey rsa:2048 -nodes -keyout private.key -out certificate.csr -config san_certificate.cnf

Explanation of the command:

  • req: Specifies that we are generating a certificate signing request (CSR).
  • -newkey rsa:2048: Generates a new RSA key pair with a key length of 2048 bits.
  • -nodes: Skips the encryption of the private key, leaving it in plain text.
  • -keyout private.key: Specifies the output file for the private key.
  • -out certificate.csr: Specifies the output file for the CSR.
  • -config san_certificate.cnf: Points OpenSSL to the configuration file we created.

Step 4: Provide Additional Information
During the execution of the command, OpenSSL may prompt you for additional information, such as a passphrase for the private key or a password for encryption. Follow the prompts and provide the necessary details.

Step 5: Review and Use the Generated Files
After the command completes, review the generated files to ensure everything is in order. Open the private.key file to inspect the private key, and verify that the certificate.csr file contains the correct details. A good way to check the CSR is to use a site like https://www.sslshopper.com/csr-decoder.html. Here you can input your CSR and check if the given options are available in the CSR.

At this stage, you can use the certificate.csr file to request a certificate from a certification authority (CA)

Leave a Reply

Your email address will not be published. Required fields are marked *