Create easily your SAN (multiple hostname on one IP) certificates for HTTPS with OpenSSL
Prerequisites :
- A Linux box (tested on Ubuntu Server 14.04)
- OpenSSL installed
What we will do :
- Create our own certificate authority – you will need to deploy it to clients in order to avoid browser warnings.
- Create a SAN certificate.
Let's Start :
Create a folder for your authority, in this folder, create two files with following content, make them eXecutables :
gen_root_ca.sh : (create an authority valid for 3650 days)
#!/bin/bash
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem -sha256
gen_cert_san.sh : (create a san certificate valid for 1460 days)
#!/bin/bash
echo sample subject /C=FR/ST=France/L=YourCity/O=YourOrganisation/CN=$1
echo input your subject below :
read SUBJ
echo sample : subjectAltName=DNS:mydomain.com,DNS:www.mydomain.com,DNS:www.mydomain2.org
echo input your domain names like in sample :
read ALTNAME
if [[ "$1" = ??* ]] && [[ "$SUBJ" = /C=*/ST=*/L=*/O=*/CN=* ]]; then
mkdir $1
cp /etc/ssl/openssl.cnf $1/
echo [ v3_req ] >> $1/openssl.cnf
echo $ALTNAME >> $1/openssl.cnf
openssl genrsa -out $1/$1_cert.key 2048
openssl req -new -key $1/$1_cert.key -out $1/$1_cert.csr -sha256 -nodes -subj "$SUBJ" -config $1/openssl.cnf -extensions v3_req -reqexts v3_req
openssl x509 -req -in $1/$1_cert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $1/$1_cert.crt -days 1460 -sha256 -extfile $1/openssl.cnf -extensions v3_req
echo Done
else
echo Incorrect certificate name or incorrect subject name
fi
Now execute ./gen_root_ca.sh, fill in carefully your authority informations. OK, now you're done with your authority, copy rootCA.pem to rootCA.crt and deploy it to your clients : on a windows box, double click on rootCA.crt, install certificate, Next, Check “Place all certificates in the following store”, browse for “Trusted Root Certification Authorities”, OK, Next, Finish. Your done !
Let's create our SAN Certificate :
Choose a “certificate_name”
Execute ./gen_cert_san.sh my_certificate_name, i recommand you prepare your subject line and domain names line on text editor, then fill data on the command line.
The script will create a folder my_certificate_name with a .crt and .key file. Use it with your favorite Web server (apache, nginx, nodejs…).
Now test your certificate, on a client where authority cert is installed you will get a beautifull :