OpenSSL CSR with Different Names one-line
Emanuele “Lele” Calò
October 30, 2014
2017-02-16—Edit—I modified this publish to make use of a distinct technique than what I used within the unique model trigger X509v3 extensions weren’t created or seen appropriately by many certificates suppliers.
I discover it exhausting to recollect a interval in my complete life wherein I issued, reissued, renewed and revoked so many certificates.
And whereas that’s often enjoyable and fascinating, there’s one factor I typically wanted and by no means discovered, until a couple of days in the past, which is the right way to generate CSRs (Certificates Signing Requests) with AlternativeNames (eg: together with www and non-www area in the identical cert) with a one-liner command.
This want is because of the truth that some certificates suppliers (like GeoTrust) don’t cowl the mum or dad area when requesting a brand new certificates (eg: CSR for www.endpoint.com gained’t cowl endpoint.com), until you particularly request so.
Fortunately that’s not the case with different Certificates merchandise (like RapidSSL) which already supply this function built-in.
This situation is beginning to be problematic extra typically since we’re seeing a rising variety of prospects supporting websites with HTTPs connections masking each www and “non-www” subdomains for his or her web site.
Fortunately the answer is fairly easy and straight-forward and the one requirement is that you must kind the CSR topic on the command line immediately, principally with out using the interactive query mechanism.
For those who managed to grasp how an SSL certificates works this shouldn’t be an enormous drawback, anyway simply as a recap right here’s the listing of the which means for the widespread Topic entries you’ll want:
OU— Group Unit
CN— Frequent Identify (eg: the principle area the certificates ought to cowl)
emailAddress— primary administrative level of contact for the certificates
So by utilizing the widespread syntax for OpenSSL topic written through command line you have to specify all the above (the OU is elective) and add one other part referred to as subjectAltName=.
By including DNS.n (the place n is a sequential quantity) entries underneath the “subjectAltName” area you’ll be capable to add as many extra “alternate names” as you need, even not associated to the principle area.
Clearly the first-level mum or dad area shall be lined by most SSL merchandise, until specified otherwise.
So right here’s an instance to generate a CSR which can cowl *.your-new-domain.com and your-new-domain.com, multi functional command:
openssl req -new -sha256 -nodes -out *.your-new-domain.com.csr -newkey rsa:2048 -keyout *.your-new-domain.com.key -config <( cat <<-EOF [req] default_bits = 2048 immediate = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C=US ST=New York L=Rochester O=Finish Level OU=Testing Area emailAddressemail@example.com CN = www.your-new-domain.com [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = your-new-domain.com DNS.2 = www.your-new-domain.com EOF )
To be trustworthy, that’s a sub-optimal answer for a couple of causes however principally that it’s not snug to repair in case you probably did a typo or related.
That’s why I desire making a devoted file (you could additionally reuse in future) after which pipe that in openssl.
In fact you should utilize your textual content editor of alternative, I used HEREDOC principally as a result of it exhibits higher by way of weblog posts for my part.
cat > csr_details.txt <<-EOF [req] default_bits = 2048 immediate = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C=US ST=New York L=Rochester O=Finish Level OU=Testing Area emailAddressfirstname.lastname@example.org CN = www.your-new-domain.com [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = your-new-domain.com DNS.2 = www.your-new-domain.com EOF # Let’s name openssl now by piping the newly created file in openssl req -new -sha256 -nodes -out *.your-new-domain.com.csr -newkey rsa:2048 -keyout *.your-new-domain.com.key -config <( cat csr_details.txt )
Now with that I’m capable of generate correct multi-domain CSRs successfully.
Please be aware using the -sha256 choice to allow SHA256 signing as a substitute of the previous (and now undoubtedly deprecated SHA1).
Because of all our readers for all of the hints, concepts and suggestiong they gave me to enhance this publish, which apparently remains to be very helpful to a whole lot of System Directors on the market.