Aug 29, 2017

Generate a SANs certificate

We are going to use openssl to generate a certificate with subject alternative names. When we use SANs in a certificate we can use the same certificate to front several websites with different domain names.

First we need to generate a private key. Since we are going to use this in a web server like Nginx or apache I'm not going to encrypt the private key with a passphrase.


openssl genrsa -out thilina.org.key 2048


Then we need to have a configurations file to add those alternative names into the certificate signing request (CSR).

sans.conf

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName        = Locality Name (eg, city)
organizationName    = Organization Name (eg, company)
commonName          = Common Name (e.g. server FQDN or YOUR name)

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1=thilina.org
DNS.2=api.thilina.org
DNS.3=gateway.thilina.org


Now I'm going to generate the CSR in a single command.


openssl req -new -key thilina.org.key -sha256 -nodes -out thilina.org.csr \
  -subj "/C=LK/ST=Colombo/L=Colombo/O=Thilina Piyasundara/OU=Home/CN=thilina.org" \
  -config san.conf


Print and verify the CSR


openssl req -in thilina.org.csr -text -noout



Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = LK, ST = Colombo, L = Colombo, O = Thilina Piyasundara, OU = Home, CN = thilina.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d0:13:91:5d:62:7c:4f:57:6d:4c:79:85:59:d8:
                    c5:ae:50:41:cc:db:fe:b4:75:fc:c1:73:e7:a7:ac:
                    89:36:3b:26:08:0f:33:b0:96:5c:29:a1:ee:9a:14:
                    13:4b:5b:43:74:74:a2:fd:97:2b:2b:bd:2a:b8:e6:
                    22:d2:01:15:f3:7f:e9:d8:c9:d4:65:04:5a:ef:f0:
                    03:41:63:56:39:eb:5f:e5:90:de:33:b7:bb:60:0e:
                    e3:70:79:60:8f:cb:a9:71:3b:e3:0a:b1:17:47:aa:
                    41:08:b5:44:5e:1a:a1:fa:a2:ce:ed:18:c5:a3:b0:
                    6f:0f:57:ca:ae:28:7f:91:49:14:6b:94:4c:3c:33:
                    fb:27:ed:77:37:a7:d6:54:4e:a7:6e:bc:c9:a2:a1:
                    b5:f2:f0:aa:76:64:04:83:96:92:03:36:4c:3e:14:
                    0e:97:a6:79:9e:23:c1:2a:c4:7a:3d:6e:f3:1c:40:
                    e3:d1:61:f2:56:51:8f:0f:04:76:62:ea:b0:1f:94:
                    e8:a8:8b:54:d6:08:5a:79:a6:a4:a0:00:fb:5f:c3:
                    d5:d4:50:ea:15:12:ea:9b:10:cc:9a:d9:32:6e:48:
                    93:30:4b:e7:2e:fe:a9:a0:31:16:61:24:3f:29:54:
                    2a:25:da:d2:b3:6a:d9:d5:a9:51:ee:d3:bb:b9:83:
                    86:59
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:thilina.org, DNS:api.thilina.org, DNS:gateway.thilina.org
    Signature Algorithm: sha256WithRSAEncryption
         96:44:43:98:60:76:49:ad:8b:01:65:20:f1:ca:4a:47:84:67:
         dc:77:f0:2e:bb:30:68:8b:2f:79:c4:4c:10:91:ec:70:fe:73:
         9c:3e:f4:69:18:8c:34:f6:85:05:26:b1:2a:35:38:f5:93:59:
         c2:a4:07:83:73:79:88:9b:ff:17:99:66:34:58:21:bc:de:8e:
         65:b9:50:bb:18:52:53:9b:ed:a3:4e:c7:55:73:2e:42:47:dc:
         94:4d:fb:cc:ba:b1:7a:57:a6:f9:fa:27:a2:54:aa:cd:f6:79:
         3d:b7:0a:82:a3:18:41:ec:f5:db:cc:05:6a:43:64:d7:4a:00:
         fe:a3:89:f9:25:f3:79:55:f9:79:3a:b2:96:5e:9d:67:f5:c7:
         e4:ab:fc:da:cb:df:f5:76:36:44:fe:d2:87:3a:d7:a2:a9:2e:
         fc:7f:ba:a6:12:44:70:e0:c4:42:57:01:1e:51:0a:d4:2e:33:
         e2:63:20:c2:9a:07:1b:78:e8:fb:42:b5:e5:85:00:b1:2c:25:
         d8:ad:43:af:6a:01:09:59:7e:d0:af:dd:72:f3:93:18:30:38:
         c2:b0:6c:8e:88:79:4e:16:fe:e3:87:46:c2:eb:f3:2e:2b:aa:
         a7:a9:76:1d:fd:8b:d9:d9:1c:a3:1c:21:db:af:b0:0b:7e:15:
         37:37:0f:25



Validate the key, csr and certificates are matching.

openssl rsa -noout -modulus -in domain.key | openssl md5
openssl x509 -noout -modulus -in domain.crt | openssl md5
openssl req -noout -modulus -in domain.csr | openssl md5