Skip to main content

SSL Certificates with SAN Attributes

·397 words·2 mins
Table of Contents

This document will guide you through creating a Certificate Signing Request (CSR) with Subject Alternative Names (SAN).

Getting Started #

These instructions have been run on a RHEL Linux system.

SAN stands for “Subject Alternative Names” and this helps you to have a single certificate for multiple CN (Common Name). In SAN certificate, you can have multiple complete CN.

For example:

  • example.com
  • exmaple.net
  • example.org

You can have the above domains and more in a single certificate. One use case for this is loadbalancing, the Virtual IP could be the CN and then the hosts behind the LB would be the SAN entries.

Next we look at a real life example of wikipedia.org, which has many SAN entries in a single certificate.

Wikipedia.org SAN
Screensot of Wikipedia SAN

As you can see in the screenshot there are multiple SAN entries for the wikipedia.org URL.

Prerequisites #

A working installation of OpenSSL

[root@server ~]# yum install openssl

Create CSR Config #

Create a directory to hold the CSR, Key and eventually the Certificate

[user@server ~]$ cd /tmp
[user@server ~]$ mkdir /tmp/san_cert
[user@server ~]$ cd /tmp/san_cert

Create a file called san.cnf

[user@server ~]$ touch /tmp/san_cert/san_cert.cnf
[user@server ~]$ vi /tmp/san_cert/san_cert.cnf

Add the following content to the /tmp/san_cert/san_cert.cnf file

[ req ]
default_bits             = 2048
distinguished_name       = req_distinguished_name
req_extensions           = v3_req
prompt                   = no

[ req_distinguished_name ]
countryName              = DE
stateOrProvinceName      = BY
localityName             = Munich
organizationName         = SomeCompany
organizationalUnitName   = SomeUnit
commonName               = vip.example.com
emailAddress             = user@example.com

[ v3_req ]
subjectAltName    = @alt_names

[alt_names]
DNS.1             = vip.example.com
IP.1             = 192.0.2.10
DNS.2             = host01.example.com
IP.2             = 192.0.2.20
DNS.3             = host02.example.com
IP.3             = 192.0.2.30

To add additional SAN records, add to the alt_names section and save the file

Create the CSR #

Execute the following OpenSSL command, which will generate CSR and KEY file

[user@server ~]$ openssl req -out /tmp/san_cert/san_cert.csr -newkey rsa:2048 -nodes -keyout /tmp/san_cert/san_cert_private.key -config /tmp/san_cert/san_cert.cnf

This will create san_cert.csr and san_cert_private.key in the /tmp/san_cert/ directory. You have to send san_cert.csr to certificate signing authority so they can generate and provide you the certificate with SAN attributes.

Testing #

Verify the CSR #

You can verify the CSR has been created with the SAN attributes by running the following command, the output should list DNS and IP entries, if nothing is returned there is a problem with the cnf file.

[user@server ~]$ openssl req -noout -text -in /tmp/san_cert/san_cert.csr | grep DNS
                DNS:vip.example.com, IP Address:192.0.2.10, DNS:host01.example.com, IP Address:192.0.2.20, DNS:host02.example.com, IP Address:192.0.2.30