Credit where credit is due: The final steps that worked were based on this message from the openssl-users list and the command to generate the certificate from this page in the Linode Library.
First, save the following in a config file, for this example I'll call it example.conf and it will be for various similar domains:
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = .
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certs = $dir/certs
certificate = $certs/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = sha1
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
copy_extensions = copy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048 # Size of keys
default_keyfile = example.key # name of generated keys
default_md = sha1 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
commonName_default = www.example.com
0.organizationName_default = Example Company
localityName_default = Honolulu
stateOrProvinceName_default = Hawaii
countryName_default = US
emailAddress_default = webmaster@example.com
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# Some CAs do not yet support subjectAltName in CSRs.
# Instead the additional names are form entries on web
# pages where one requests the certificate...
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com
DNS.2 = www2.example.com
DNS.3 = www.example.net
DNS.4 = example.com
[ server ]
# Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ client ]
# Make a cert with nsCertType set to "client"
basicConstraints=CA:FALSE
nsCertType = client
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
You may also want to change the default keyfile names and other defaults to save yourself some typing later, especially if you're only going to be generating one certificate.
Once you have the configuration file the way you like it, you're ready to generate the key and certificate. We'll be doing it in just one step, without saving the intermediate certificate signing request:
$ openssl req -new -x509 -days 365 -nodes -out example.crt -keyout example.key -config example.conf
You'll be promoted for various certificate parameters; if you didn't change the defaults to what you want, you will need to enter them when prompted, otherwise you can just hit Enter at each prompt to accept the default specified in the configuration file. The certificate will be good for one year, if you want to change it, you can alter the number of days specified in the command line (or change the default in the config file).
Once this is done, you'll see two new files: example.key (which contains the private key) and example.crt (which contains the public certificate). Do whatever it is to need to do with them for your application.
7 comments:
Thanks, this helped me today to create a multiple-site self-signed certificate. Very useful.
You're welcome. It's nice to know that someone found it useful.
Thanks for the great post. Your instructions were simple and did the trick.
Len, you're welcome! I tried to keep things simple and straight forward so I can easily repeat them the next time I have to do it.
Its really clear and straight forward explanation of self-signed SSL certificate for multiple domains. We really appreciate your efforts for writing this entire tutorial. Being Platinum Certificate Authority that we are going to recommend your blog to SSL Installation Education and I wish that your blog post will help to other users.
- Thanks
I got this error:
Error Loading extension section default
140058831787672:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension name:v3_conf.c:125:
140058831787672:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=HOME, value=.
Daniel,
Without knowing what version of OpenSSL you're using, on what OS, I don't know that I can help.
Post a Comment