Security - Create self signed SAN certificate with OpenSSL

This post explains how to generate self signed certificates with SAN – Subject Alternative Names using openssl. It is a common but not very funny task, only a minute is needed when using this method.

The example below generates a certificate with two SubAltNames: mydomain.com and www.mydomain.com

Create openssl configuration file

Create configuration file for openssh (In a Linux system, I usually set /etc/ssl/selfsigned as working directory in which generate the config files and generated certificates…) called for example mydomain.cnf with the following parameters:

(This is not a general openssh configuration file. Only a “one-time” use)

[req]
default_bits = 2048
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn

[dn]
C = ES
ST = MyState
L = MyCity
O = MyOrg
emailAddress = email@mydomain.com
CN = mydomain.com

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = mydomain.com
DNS.2 = www.mydomain.com

If no SAN is needed to be added, remove the red lines.
If more SAN names are needed, add more DNS lines in the [alt_names] section.

Run OpenSSL command

The command generates the certificate (-out) and the private key (-keyout) by using the configuration file (-config). The “-nodes” parameter avoids setting a password to the private key.

# openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout mydomain.com.key -days 3560 -out mydomain.com.crt -config mydomain.com.cnf
Generating a 2048 bit RSA private key
..................................................+++
.+++
writing new private key to 'mydomain.com.key'
-----

The generated certificate showing the SANs:

Example config in Apache:

You can use the generated certificate in any webserver.
For example to apply it in Apache, use the SSLCertificateFile and SSLCertificateKeyFile for both the cert and the private key:

<VirtualHost *:443>
  ServerName mydomain.com
  ServerAlias www.mydomain.com
  ServerAdmin somoit@somoit.net
  DocumentRoot "/var/www/html/myweb"
  <Directory "/var/www/html/myweb/">
    Options MultiViews FollowSymlinks
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>
  TransferLog /var/log/apache2/myweb_access.log
  ErrorLog /var/log/apache2/myweb_error.log

  SSLEngine on
  SSLCertificateFile /etc/ssl/selfsigned/mydomain.com.crt
  SSLCertificateKeyFile /etc/ssl/selfsigned/mydomain.com.key
</VirtualHost>

4 thoughts on “Security – Create self signed SAN certificate with OpenSSL”

what about CSR?

Reply ↓

Sysadmin SomoIT on September 11, 2019 at 7:22 am said:

What do you need it for?

Reply ↓
- Breizh on February 23, 2021 at 9:31 am said:
  
  Because using the same key for the CA and the final cert made an error that you can’t bypass in some browsers.
  
  Reply ↓
  - Sysadmin SomoIT on February 23, 2021 at 1:50 pm said:
    
    That’s because the “CA” that generates the certificate is not a 3rd party trusted one. Its a normal behaviour.
    
    If you need your browser or OS not to show a warning error you must import the CA root certificate (that in this case is the same as the generated certificate itself) into your trusted certificates store.
    
    Reply ↓

SomoIT.net

IT System Administration – Sysadmin tips, tricks and tutorials

Security – Create self signed SAN certificate with OpenSSL

Create openssl configuration file

Run OpenSSL command

Example config in Apache:

4 thoughts on “Security – Create self signed SAN certificate with OpenSSL”

Leave a Reply Cancel reply