Generating CSR for multi-domain

apache ssl openssl
43,962

For an X.509 certificate to support multiple domains, it must use multiple Subject Alternative Name DNS entries, according to RFC 2818 (HTTP over TLS) (or RFC 6125):

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.)

As described in this document (except I would use -des3 too for the genrsa command, to protect the private key):

  • Make a copy your initial openssl.cnf file (the original is probably somewhere under /etc on Linux).
  • Edit it to add req_extensions = v3_req in the [ req ] section.
  • Edit it to add subjectAltName=DNS:www.example.com,DNS:www.other-example.com (one DNS: entry per host name you require) in the [ v3_req ] section.
  • Make OpenSSL use that configuration file. Call it with OPENSSL_CONF=/path/to/your/openssl.cnf openssl req ...

This being said, I wouldn't worry too much about setting any extension in the CSR. Any good CA should ignore whatever you've set in the CSR and only set whatever they have actually verified when issuing the actual certificate. They'll happily replace any RDN in your Subject DN (e.g. Country, Organization, ...) as well as any extension (SAN or Key Usage). Firstly, if they let any extension as requested in the CSR by the applicant, this would be a security risk, since some applicants could really get anything. Secondly, that's how they make extra money, by charging you for setting a few bits here and there (e.g. code signing extension): they'll make sure that you only get what you've paid for in your certificate. I understand, though, that you may want to put all the names you request in your CSR, just to be sure.

Share:
43,962
Elisa
Author by

Elisa

Updated on July 25, 2022

Comments

  • Elisa
    Elisa almost 2 years

    How to generate CSR for mult-domain.

    I found that generating CSR for single domain is as below:

    openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

    But how do I generate CSR multi-domain

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Invalid CA certificate with self signed certificate chain
LetsEncrypt SSL Error - SSL routines:ssl3_get_record:wrong version number
Apache 2.4.37 with openssl 1.1.1: cannot perform post-handshake authentication
How can I do an SSL connection with PHP
Should I get Apache with no ssl or with open ssl? Can someone tell me what ssl is exactly?
client certificates issued by my own CA with Apache
Enable TLSv1.2 in apache 2.2.22
Using '-servername' param with openssl s_client
openssl unable to get local issuer certificate debian
Cannot get SSL to work in Docker container