How to create a self-signed SSL certificate for multiple domains
Domain names could contain multiple sub domains. For an example, esb.dev.abc.com and test.api.dev.abc.com are belong to the same organization.
Wildcard certificate *.dev.abc.com covers only the esb.dev.abc.com and it does not cover test.api.dev.abc.com. This wildcard certificate does not support if there are multiple dots (.) after the .dev.abc.com.
We can add multiple DNS alternative names to the SSL certificate to cover the domain names.
- Create a file called openssl.cnf with the following details.
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req[req_distinguished_name]
countryName = SL
countryName_default = SL
stateOrProvinceName = Western
stateOrProvinceName_default = Western
localityName = Colombo
localityName_default = Colombo
organizationalUnitName = ABC
organizationalUnitName_default = ABC
commonName = *.dev.abc.com
commonName_max = 64[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names[alt_names]
DNS.1 = *.api.dev.abc.com
DNS.2 = *.app.dev.abc.com
2. Create the Private key.
sudo openssl genrsa -out server.key 2048
3. Create Certificate Signing Request (CSR).
sudo openssl req -new -out server.csr -key server.key -config openssl.cnf
Note: For the common name type as *.dev.abc.com. It will take the default values mentioned above for other values.
4. Sign the SSL Certificate.
sudo openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt -extensions v3_req -extfile openssl.cnf
Your server.crt certificate will contains *.dev.abc.com as the common name and other domain names as the DNS alternative names.
Originally published at pubci.com on November 14, 2016.
