Generate SSL Certificates with SAN Attributes
This document will guide you through creating a Certificate Signing Request (CSR) with Subject Alertnative Names (SAN).
Table of Contents
- Table of contents
- Getting Started
These instructions have been run on a RHEL Linux system.
SAN stands for “Subject Alternative Names” and this helps you to have a single certificate for multiple CN (Common Name). In SAN certificate, you can have multiple complete CN.
You can have the above domains and more in a single certificate. One use case for this is loadbalancing, the Virtual IP could be the CN and then the hosts behind the LB would be the SAN entries.
Next we look at a real life example of wikipedia.org, which has many SAN entries in a single certificate.
As you can see in the screenshot there are multiple SAN entries for the wikipedia.org URL.
A working installation of OpenSSL
[root@server ~]# yum install openssl
Create CSR Config
Create a directory to hold the CSR, Key and eventually the Certificate
[user@server ~]$ cd /tmp [user@server ~]$ mkdir /tmp/san_cert [user@server ~]$ cd /tmp/san_cert
Create a file called san.cnf
[user@server ~]$ touch /tmp/san_cert/san_cert.cnf [user@server ~]$ vi /tmp/san_cert/san_cert.cnf
Add the following content to the
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [ req_distinguished_name ] countryName = DE stateOrProvinceName = BY localityName = Munich organizationName = SomeCompany organizationalUnitName = SomeUnit commonName = vip.example.com emailAddress = email@example.com [ v3_req ] subjectAltName = @alt_names [alt_names] DNS.1 = vip.example.com IP.1 = 192.0.2.10 DNS.2 = host01.example.com IP.2 = 192.0.2.20 DNS.3 = host02.example.com IP.3 = 192.0.2.30
To add additional SAN records, add to the
alt_names section and save the file
Create the CSR
Execute the following OpenSSL command, which will generate CSR and KEY file
[user@server ~]$ openssl req -out /tmp/san_cert/san_cert.csr -newkey rsa:2048 -nodes -keyout /tmp/san_cert/san_cert_private.key -config /tmp/san_cert/san_cert.cnf
This will create san_cert.csr and san_cert_private.key in the
/tmp/san_cert/ directory. You have to send san_cert.csr to certificate signing authority so they can generate and provide you the certificate with SAN attributes.
Verify the CSR
You can verify the CSR has been created with the SAN atrributes by running the following command, the output should list DNS and IP entries, if nothing is returned there is a problem with the cnf file.
[user@server ~]$ openssl req -noout -text -in /tmp/san_cert/san_cert.csr | grep DNS DNS:vip.example.com, IP Address:192.0.2.10, DNS:host01.example.com, IP Address:192.0.2.20, DNS:host02.example.com, IP Address:192.0.2.30