Create easily your SAN (multiple hostname on one IP) certificates for HTTPS with OpenSSL

Prerequisites :

  • A Linux box (tested on Ubuntu Server 14.04)
  • OpenSSL installed

What we will do :

  • Create our own certificate authority – you will need to deploy it to clients in order to avoid browser warnings.
  • Create a SAN certificate.

Let’s Start :

Create a folder for your authority, in this folder, create two files with following content, make them eXecutables :

gen_root_ca.sh : (create an authority valid for 3650 days)

#!/bin/bash

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem -sha256

gen_cert_san.sh : (create a san certificate valid for 1460 days)

#!/bin/bash
echo sample subject /C=FR/ST=France/L=YourCity/O=YourOrganisation/CN=$1
echo input your subject below :
read SUBJ
echo sample : subjectAltName=DNS:mydomain.com,DNS:www.mydomain.com,DNS:www.mydomain2.org
echo input your domain names like in sample :
read ALTNAME
if [[ "$1" = ??* ]] && [[ "$SUBJ" = /C=*/ST=*/L=*/O=*/CN=* ]]; then
mkdir $1
 cp /etc/ssl/openssl.cnf $1/
 echo [ v3_req ] >> $1/openssl.cnf
 echo $ALTNAME >> $1/openssl.cnf
 openssl genrsa -out $1/$1_cert.key 2048
 openssl req -new -key $1/$1_cert.key -out $1/$1_cert.csr -sha256 -nodes -subj "$SUBJ" -config $1/openssl.cnf -extensions v3_req -reqexts v3_req
 openssl x509 -req -in $1/$1_cert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $1/$1_cert.crt -days 1460 -sha256 -extfile $1/openssl.cnf -extensions v3_req
echo Done
else
 echo Incorrect certificate name or incorrect subject name
fi

Now execute ./gen_root_ca.sh, fill in carefully your authority informations. OK, now you’re done with your authority, copy rootCA.pem to rootCA.crt and deploy it to your clients : on a windows box, double click on rootCA.crt, install certificate, Next, Check “Place all certificates in the following store”, browse for “Trusted Root Certification Authorities”, OK, Next, Finish. Your done !

Let’s create our SAN Certificate :
Choose a “certificate_name”
Execute ./gen_cert_san.sh my_certificate_name, i recommand you prepare your subject line and domain names line on text editor, then fill data on the command line.

The script will create a folder my_certificate_name with a .crt and .key file. Use it with your favorite Web server (apache, nginx, nodejs…).

Now test your certificate, on a client where authority cert is installed you will get a beautifull :

cert cert2