Friday, January 21, 2011

Creating Certificates with Multiple Hostnames

 

When hosting multiple host names on a single IP Address it is possible to have a single certificate that works with any number of hostnames using “Subject Alternative Names” which is an attribute that lists an alternate name(s) for the subject of the certificate. In a web context that subject is the hostname. However it’s not just hostnames that can be an alternative subject. Email is an option as is IP addresses. For instance Many companies host more than a single website address such as www.example.com and www.example.org

The first step is to create a CSR (certificate signing request) that contains the subject alternative names that you desire for your certificate. I will show how to do that using openssl. You will likely need to modify the default openssl.cnf file. In SUSE this is located in /etc/ssl/openssl.cnf. Note that you may prefer to make modifications to a local copy and tell openssl to use your locally modified copy using the -config option. For simplicity I will omit -config localopenssl.cnf from my examples.

Config File Settings

You need to tell openssl to create a CSR that includes x509 V3 extensions and you also need to tell openssl to include a list of subject alternative names in your CSR. In my openssl.cnf I have the following:

 

in the [req] section

[req]
req_extensions = v3_req

In the v3_req section





[ v3_req ]

# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# Some CAs do not yet support subjectAltName in CSRs.
# Instead the additional names are form entries on web
# pages where one requests the certificate...
subjectAltName          = @alt_names

[alt_names]
DNS.1   = www.example.com
DNS.2   = www.example.org

 


Then the CSR is generated using:

$ openssl req -new -out $CSR_FILENAME -key $KEY_FILE
To check to see if you got everything correct use:
$ openssl req -text -noout -in $CSR_FILENAME
You should see something similar to this:
 




       Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:www.foo.com, DNS:www.foo.org

Creating the Certificate


Now you must have a CA (certificate authority) create a signed certificate based on the information provided in your request. Unfortunately most CA software will not honor the subject alternative names in a CSR by default. In the case of the certificate signing tools from Microsoft in Windows 2003 you can tell it to honor subject alternative names using the following:


  • certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

  • net stop certsvc

  • net start certsvc

For openssl you need to use a policy that allows subject alternative names. I believe the policy named policy_anything in the default openssl.cnf file will work. To use that policy:


  • $ openssl ca -policy policy_anything -in $CSR_FILENAME -out $CERT_FILENAME

Finally to test that your certificate was created correctly use the following:


  • $ openssl x509 -text -noout -in $CERT_FILENAME

You should see something like this:

 





X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:www.foo.org DNS:www.foo.org
Posted by at No comments:
Subscribe to: Posts (Atom)