Generating CSR for multi-domain
For an X.509 certificate to support multiple domains, it must use multiple Subject Alternative Name DNS entries, according to RFC 2818 (HTTP over TLS) (or RFC 6125):
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.
Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.)
As described in this document (except I would use -des3
too for the genrsa
command, to protect the private key):
- Make a copy your initial
openssl.cnf
file (the original is probably somewhere under/etc
on Linux). - Edit it to add
req_extensions = v3_req
in the[ req ]
section. - Edit it to add
subjectAltName=DNS:www.example.com,DNS:www.other-example.com
(oneDNS:
entry per host name you require) in the[ v3_req ]
section. - Make OpenSSL use that configuration file. Call it with
OPENSSL_CONF=/path/to/your/openssl.cnf openssl req ...
This being said, I wouldn't worry too much about setting any extension in the CSR. Any good CA should ignore whatever you've set in the CSR and only set whatever they have actually verified when issuing the actual certificate. They'll happily replace any RDN in your Subject DN (e.g. Country, Organization, ...) as well as any extension (SAN or Key Usage). Firstly, if they let any extension as requested in the CSR by the applicant, this would be a security risk, since some applicants could really get anything. Secondly, that's how they make extra money, by charging you for setting a few bits here and there (e.g. code signing extension): they'll make sure that you only get what you've paid for in your certificate. I understand, though, that you may want to put all the names you request in your CSR, just to be sure.
Elisa
Updated on July 25, 2022Comments
-
Elisa almost 2 years
How to generate CSR for mult-domain.
I found that generating CSR for single domain is as below:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
But how do I generate CSR multi-domain