Bunch of CAs (Certificate authorities ) allow you to sign mutidomain SSL certificates.
Why it's very useful?
How to make CSR fot these domains? Sure thing using OpenSSL, but you need to do a trick here: OpenSSL does not support multidomain configuration in interactive mode (when you are answering to the OpenSSL question while generating certificate).
What options do we have:
Why it's very useful?
- cheaper then wildcard (*.domain.com) when you need SSL cert just for 2-5 domains like www.domain.com; domain.com and login.domain.com
- cheaper and convenient when you need to have SSL certificate for wildcard domain and doman apex aka "naked" or "root" domain (*.domain.com and domain.com)
How to make CSR fot these domains? Sure thing using OpenSSL, but you need to do a trick here: OpenSSL does not support multidomain configuration in interactive mode (when you are answering to the OpenSSL question while generating certificate).
What options do we have:
- Use non-interactive mode with long command line and specify all parameters there (really long line)
- Create custom config and specify all there. More over this config will help you during certificate renewal next time.
Let's build our custom config :
Wildcard multidomain:
Create file wild.yourdomain.cnf:
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] countryName = CA stateOrProvinceName = Quebec localityName = Montreal organizationName = it-security.ca organizationalUnitName = infosec commonName = *.yourdomain.com [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = yourdomain.com DNS.2 = *.yourdomain.com
Generate csr:
openssl req -new -sha256 -key wild.yourdomain.com.key -out wild.yourdomain.com.csr -config wild.yourdomain.cnf
Multidomain:
Create file yourdomain.cnf:
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] countryName = CA stateOrProvinceName = Quebec localityName = Montreal organizationName = it-security.ca organizationalUnitName = infosec commonName = *.yourdomain.com [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = yourdomain.com DNS.2 = www.yourdomain.com
Generate csr:
openssl req -new -sha256 -key yourdomain.com.key -out yourdomain.com.csr -config yourdomain.cnf
And sure thing you can use it for normal domains:
Normal domain:
Create file yourdomain.cnf:
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name prompt = no [req_distinguished_name] countryName = CA stateOrProvinceName = Quebec localityName = Montreal organizationName = it-security.ca organizationalUnitName = infosec commonName = login.yourdomain.com
Generate csr:
openssl req -new -sha256 -key yourdomain.com.key -out yourdomain.com.csr -config yourdomain.cnf
More details about working with CSR, OpenSSL certificates and etc you can find here: http://security-ingvar-ua.blogspot.ca/2012/10/ssl-certificates-commands-and-tips.html
No comments:
Post a Comment