Add an subject alternative name to SSL certificate with openssl 

Joined:
04/09/2007
Posts:
784

March 31, 2011 15:03:26    Last update: April 01, 2011 12:34:50
  1. Create an openssl configuration file which enables subject alternative names (openssl.cnf):
    [req]
    distinguished_name = req_distinguished_name
    req_extensions = v3_req
    
    [req_distinguished_name]
    countryName = Country Name (2 letter code)
    countryName_default = US
    localityName = Locality Name (eg, city)
    organizationalUnitName = Organizational Unit Name (eg, section)
    commonName = Common Name (eg, YOUR name)
    commonName_max = 64
    emailAddress = Email Address
    emailAddress_max = 40
    
    [v3_req] 
    keyUsage = keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1   = www.foo.com
    DNS.2   = www.bar.org
    IP.1    = 192.168.1.1
    IP.2    = 192.168.69.144
    


  2. Create a certificate request using above configuration file:
    C:\work>openssl req -new -key testServer.key -out testServer.csr -config openssl.cnf
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [US]:
    Locality Name (eg, city) []:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:
    Email Address []:
    


  3. Verify the request was created successfully:
    C:\work>openssl req -text -noout -in testServer.csr
    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject: C=US
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (1024 bit)
                    Modulus (1024 bit):
                        00:ca:c4:8d:8d:0d:69:48:c7:4f:4e:ea:e6:c3:36:
                        2d:7c:a5:96:96:c4:db:a3:4b:0c:b2:d9:0d:b6:af:
                        eb:4d:4b:31:32:f8:b5:74:6b:7f:77:46:0a:ac:9b:
                        3c:d7:a9:88:40:41:49:c9:e4:d8:ce:57:0d:ef:77:
                        d8:a2:45:c6:20:ea:f3:c0:59:94:20:4a:16:0a:c7:
                        ac:4e:48:b7:a3:35:1c:40:0e:ba:93:8f:5d:43:e0:
                        f2:6d:3b:9a:12:c4:1e:4d:19:48:9f:35:92:89:b1:
                        e6:96:a9:8e:b2:8d:a3:13:f3:6c:61:28:13:75:03:
                        db:04:79:11:46:00:b8:79:0b
                    Exponent: 65537 (0x10001)
            Attributes:
            Requested Extensions:
                X509v3 Key Usage:
                    Key Encipherment, Data Encipherment
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication
                X509v3 Subject Alternative Name:
                    DNS:www.foo.com, DNS:www.bar.org, IP Address:192.168.1.1, IP Address:192.168.69.144
        Signature Algorithm: sha1WithRSAEncryption
            6d:9a:35:5c:23:74:71:1a:ea:d0:69:f7:13:c9:d7:7c:4c:1d:
            b7:b5:82:76:3d:c3:20:fd:9a:1b:b6:18:b1:58:14:0c:b7:77:
            54:a8:99:eb:aa:bc:bc:02:f2:ba:71:16:97:9c:0a:74:ff:b9:
            2c:c1:87:2a:27:59:23:ff:02:4e:d3:44:26:68:42:03:c9:c1:
            38:65:ad:7b:e5:e7:08:58:d3:fc:06:b9:1d:e9:33:b0:b0:04:
            e5:4c:92:16:54:31:58:77:6f:f5:37:15:27:7b:a3:7b:da:b5:
            18:74:d1:39:0b:f5:37:25:f1:a1:96:d9:36:35:b3:3e:65:9e:
            92:1f
    


  4. (Optional) self-sign the certificate request:
    C:\work>openssl x509 -req -days 3650 -in testServer.csr -signkey testServer.key \
    -out testServer.crt -extensions v3_req -extfile openssl.cnf
    Signature ok
    subject=/C=US
    Getting Private key
    

Share |
| Comment  | Tags