Creating a Certificate With Multiple Hostnames

Multiple Names on One Certificate

While it is not possible without TLS extensions to serve different certificates for a single IP (See here on how to setup apache on Debian for TLS extensions.) it is possible to have a single certificate that works with any number of hostnames. I’m not talking about a wildcard certificate but a certificate that allows completely different hostnames to be valid for a single certificate. For example http://www.foo.com and http://www.foo.org can share a certificate. This approach would not be appropriate except in certain circumstances. You wouldn’t want to have two different customers using the same certificate but a single customer may wish to use one certificate for all of their domains. Both Internet Explorer and Firefox honor certificates of this type. From what I read some Java SSL libraries do not handle this type of certificate properly but Java was the only exception.

x509 certificates, those that are served in SSL communications, offer a feature known as Subject Altnerative Names. A subject Alternative Name is an attribute that lists an alternate name for the subject of the certificate (that’s oddly fitting isn’t it?). In a web context that subject is the hostname. However it’s not just hostnames that can be an alternative subject. Email is an option as is IP addresses.

The first step is to create a CSR (certificate signing request) that contains the subject alternative names that you desire for your certificate. I will show how to do that using openssl. You will likely need to modify the default openssl.cnf file. In Debian this is located in /etc/ssl/openssl.cnf. Note that you may prefer to make modifications to a local copy and tell openssl to use your locally modified copy using the -config option. For simplicity I will omit -config localopenssl.cnf from my examples.

Config File Settings

You need to tell openssl to create a CSR that includes x509 V3 extensions and you also need to tell openssl to include a list of subject alternative names in your CSR. In my openssl.cnf I have the following:

In the [req] section

[req]
req_extensions = v3_req

In the v3_req section:

[ v3_req ]

# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# Some CAs do not yet support subjectAltName in CSRs.
# Instead the additional names are form entries on web
# pages where one requests the certificate...
subjectAltName          = @alt_names

[alt_names]
DNS.1   = www.foo.com
DNS.2   = www.foo.org

Generating the CSR

Then the CSR is generated using:

$ openssl req -new -out $CSR_FILENAME -key $KEY_FILE

To check to see if you got everything correct use:

$ openssl req -text -noout -in $CSR_FILENAME

You should see something similar to this:

        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:www.foo.com, DNS:www.foo.org

Creating the Certificate

Now you must have a CA (certificate authority) create a signed certificate based on the information provided in your request. Unfortunately most CA software will not honor the subject alternative names in a CSR by default. In the case of the certificate signing tools from Microsoft in Windows 2003 you can tell it to honor subject alternative names using the following:

certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

For openssl you need to use a policy that allows subject alternative names. I believe the policy named policy_anything in the default openssl.cnf file will work. To use that policy:

$ openssl ca -policy policy_anything -in $CSR_FILENAME -out $CERT_FILENAME

Finally to test that your certificate was created correctly use the following:

$ openssl x509 -text -noout -in $CERT_FILENAME

You should see something like this:

 X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:www.foo.org DNS:www.foo.org
Advertisements
This entry was posted in Geek, Tips. Bookmark the permalink.

13 Responses to Creating a Certificate With Multiple Hostnames

  1. Easy says:

    For an OpenSSL based CA to include the so desired extensions, it is necessary for the openssl.cnf file to have the following option enabled:

    # Extension copying option: use with caution.
    copy_extensions = copy

    under the [ CA_default ] section.

  2. cmtn says:

    Thanks, very straight and it works.
    BTW, I did not enable copy_extension=copy

  3. Daniel says:

    I’d like to know how to do that in one single command line if possible 😛

  4. Aaron says:

    Good article. That’s kind of silly of OpenSSL to not allow some comma separated names when you run the req, but it’s nice to know this is an option.

  5. Amrutha says:

    I have done the first two steps but, facing some problem after that.
    openssl ca -policy policy_anything -in $CSR_FILENAME -out $CERT_FILENAME — this command is giving some error message.
    The error message is
    Using configuration from /usr/lib/ssl/openssl.cnf
    Error opening CA private key ../../CA/private/cakey.pem
    23033:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen(‘../../CA/private/cakey.pem’,’r’)
    23033:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354

    Anyone can help me out to solve this issue.

    Thanks in advance.

  6. iBro says:

    @Amrutha:

    It says that OpenSSL can not found cakey.pem.
    Configure OpenSSL by editing the openssl.cnf mentioned or supply a custom configuration on the command line.

  7. Aleksey says:

    # Extension copying option: use with caution.
    copy_extensions = copy

    without this don t work. Thanks you.
    ———
    Amrutha said:
    March 25th, 2011 at 12:55 am
    You simply need try make outher ca key.

  8. Kevin Potter says:

    You can also add Subject Alternative Names to existing CSRs if you amend the usr_cert section of the openssl.cfg file, adding a line such as:

    subjectAltName=DNS:www.mysite.com
    or
    subjectAltName=URI:http://my.url.here/

    Generally I would save it with a different name e.g openssl-san.cfg

    then running:
    openssl x509 -req -extfile openssl-san.cfg -in csr_filename -out cert_filename -extensions usr_cert

  9. Manuel says:

    Thanks a lot.
    A very useful help.

  10. Michael says:

    Thank you for a very interesting article. I would like to know if is possible to use OpenSSL to create a wildcard certificate for multiple-domains for an email environment, and would it work with all clients (Outlook, Thnuderbird, etc).

  11. olive says:

    Hi,

    I am able to add Subject alternative name to .csr but it is not visble to .crt.

    The commands I used to ctrea the .crt ..

    /software/bea/openssl/1.0.1c/bin/openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s