Skip to content

SSL Certificate Request with Multiple Alternative Names

June 24, 2015

In this post I’ll enumerate the step to prepare a SSL certificate request using openssl on an AIX (7.1) machine.

  1. Verify the version of openssl

$openssl version
OpenSSL 1.0.1e 11 Feb 2013

  1. Copy /var/ssl/openssl.cnf to the current directory (is a good idea to create a new directory to use in this step).

Modify the openssl.cnf as follow:

  1. In the section [ req ] modify the following entries (an uncomment req_extension):

[ req ]
default_bits = 2048
default_keyfile = myweb.key
distinguished_name = myweb.mycompany.com
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request

  1. Rename the Section [ req_distinguished_name ] to [ your_server] (in the example myweb) and made the following modifications;

[ myweb.mycompany.com ]
countryName = CA
countryName_default = CA
countryName_min = 2
countryName_max = 2

stateOrProvinceName = Ontario
stateOrProvinceName_default = ON

localityName = Ottawa

0.organizationName = My Organization Name
0.organizationName_default = My Organization Name

# we can do this but it is not needed normally 🙂
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName = My Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName = myweb.mycompany.com
commonName_max = 64

emailAddress = myEmail@mycompany.com
emailAddress_max = 64

  1. Optional: Modify the section [req_attributes ] as follow:

[ req_attributes ]
challengePassword = myChallengePwd
challengePassword_min = 4
challengePassword_max = 20

unstructuredName = My_company_Abr

  1. Add the alternatives names in the [ v3_req ] section

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=DNS:myweb,DNS:thisweb,DNS:thiweb.mycompany.com,IP:10.10.0.38

Note that we are requested the certificate to be valid for: https://myweb.mycompany.com; https://myweb (i.e.for internal use); https://thisweb.mycompany.com; and https://10.10.0.38

  1. Save the modification to the openssl.cnf file.
  2. Generate the SSL key file

$ openssl genrsa -out myweb.key 2048
Generating RSA private key, 2048 bit long modulus
…………….+++
………………….+++
e is 65537 (0x10001)

  1. Generate the certificate request

$openssl req -new -config ./openssl.cnf -sha256 -key myweb.key -out myweb.csr

Note: If prompted for responses, press enter to accept the values in the openssl.cnf file

  1. Verify if the alternative names are in the request

$openssl req -noout -text -in myweb.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=ON, O=My Company Name
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:5b:82:f8:80:4d:fb:8a:8c:45:72:77:12:83:
22:00:27:ac:45:fc:f5:5f:8e:7d:9d:83:3b:d9:83:
09:44:f7:62:be:80:fb:1c:88:50:ce:c3:d7:23:79:
cf:df:61:7b:a8:0a:57:8c:7f:74:50:77:93:05:f7:
87:ef:ce:31:25:93:4e:f6:0c:37:5e:a8:2b:b3:be:
64:dd:76:ea:ff:78:2e:7b:e4:3b:58:6f:63:df:9d:
5a:70:37:74:19:b0:7f:63:59:57:99:25:ff:91:77:
50:27:47:13:25:18:ae:e9:e3:97:25:7c:6a:27:33:
b7:b6:df:e0:d6:2d:9a:33:64:71:36:11:58:69:cf:
e3:3f
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:myweb, DNS:thisweb, DNS:thisweb.mycompany.com, IP Address:10.10.0.38
Signature Algorithm: sha256WithRSAEncryption
1b:92:ed:97:4f:77:6d:72:64:da:2f:74:fe:c6:49:0d:c4:2c:
25:30:2a:8b:5e:24:6e:15:b9:18:27:f1:82:a5:5c:79:77:d4:
ed:45:25:d0:1f:cb:a1:f1:5a:d5:df:84:2b:81:12:78:6d:53:
7e:a4:8b:07:64:0b:e6:31:0d:9c:19:ba:55:e2:4a:e5:97:f7:
aa:4c:66:b8:f4:bf:9b:7b:d0:05:81:ef:14:e8:94:0a:ed:1b:
bb:21:86:d9:18:06:e6:df:ca:c1:8a:a2:5a:28:54:8f:02:23:
36:7b:8b:ba:8f:c6:b0:cc:97:54:48:d0:f0:9c:b2:e1:98:19:
03:4e:39:fd:b4:05:99:3c:b0:3f:21:a6:29:2a:6d:16:f8:25:
8b:91:78:42:6d:1a:d3:a4:31:e5:b2:7c:9e:f0:a6:d6:85:f0:
ca:31:27:36

Done!

Advertisements

From → Openssl, UNIX

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: