Thursday, October 29, 2015

Multidomain SSL certificate CSR generation and openssl custom config to simplify this process

Bunch of CAs (Certificate authorities ) allow you to sign mutidomain SSL certificates.
Why it's very useful?

  • cheaper then wildcard (*.domain.com) when you need SSL cert  just for 2-5 domains like www.domain.com; domain.com and login.domain.com
  • cheaper and convenient when you need to have SSL certificate for wildcard domain and doman apex aka  "naked" or "root" domain (*.domain.com and domain.com)


How to make CSR fot these domains? Sure thing using OpenSSL, but you need to do a trick here: OpenSSL does not support multidomain configuration in interactive mode (when you are answering to the OpenSSL question while generating certificate).
   
What options do we have:

  • Use non-interactive mode with  long command line and specify all parameters there (really long line)
  • Create custom config and specify all there. More over this config will help you during certificate renewal next time.
Let's build our custom config :


Wildcard multidomain:

Create file wild.yourdomain.cnf:
[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
countryName = CA
stateOrProvinceName = Quebec
localityName = Montreal
organizationName = it-security.ca
organizationalUnitName  = infosec
commonName = *.yourdomain.com

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = yourdomain.com
DNS.2 = *.yourdomain.com
Generate csr:
openssl req -new -sha256 -key wild.yourdomain.com.key -out wild.yourdomain.com.csr -config wild.yourdomain.cnf

Multidomain:

Create file yourdomain.cnf:
[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
countryName = CA
stateOrProvinceName = Quebec
localityName = Montreal
organizationName = it-security.ca
organizationalUnitName  = infosec
commonName = *.yourdomain.com

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = yourdomain.com
DNS.2 = www.yourdomain.com
Generate csr:
openssl req -new -sha256 -key yourdomain.com.key -out yourdomain.com.csr -config yourdomain.cnf
And sure thing you can use it for normal domains:

Normal domain:

Create file yourdomain.cnf:
[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
prompt = no

[req_distinguished_name]
countryName = CA
stateOrProvinceName = Quebec
localityName = Montreal
organizationName = it-security.ca
organizationalUnitName  = infosec
commonName = login.yourdomain.com


Generate csr:
openssl req -new -sha256 -key yourdomain.com.key -out yourdomain.com.csr -config yourdomain.cnf

More details about working with CSR, OpenSSL certificates and etc you can find here: http://security-ingvar-ua.blogspot.ca/2012/10/ssl-certificates-commands-and-tips.html


No comments:

Post a Comment