Last active
April 20, 2017 13:41
-
-
Save GC-Mark/fe92529be177a9d247f04811073d8345 to your computer and use it in GitHub Desktop.
Create a Wildcard SubjectAltName Self-Signed Certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# See: http://apetec.com/support/GenerateSAN-CSR.htm | |
# See: http://fbcs.co.uk/self-signed-multiple-domain-ssl-certificates/ | |
# See: https://gist.github.com/scottvrosenthal/5691305 | |
# Make a temp directory and go there | |
TMP_DIR=$(mktemp -d) | |
cd $TMP_DIR | |
echo $(pwd) | |
# Create an OpenSSL configuration file | |
cp /System/Library/OpenSSL/openssl.cnf openssl.cnf | |
# EDIT The file | |
# See: http://fbcs.co.uk/self-signed-multiple-domain-ssl-certificates/ | |
# Generate the private key | |
openssl genrsa 4096 > private.key | |
# Generate the certificate | |
openssl req -new -x509 -nodes -sha256 -days 3650 -key private.key -out wild-san.crt -config openssl.cnf | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The first step to make the process easier and repeatable in the future is to copy the default configuration file from /etc/ssl/openssl.cnf to a working directory where you can adapt it
Let’s assume that you’ve copied /etc/ssl/openssl.cnf to ~/project-openssl.cnf. Edit the new file and set the various default values to the ones that you need — that’s better than having to respond to openssl’s prompts every time you run it.
For real non-self-signed certificates, you would generate a certificate signing request (.csr) file, ready for a certificate authority to sign it for you. In that case, you need to follow the instructions at http://wiki.cacert.org/FAQ/subjectAltName.
But for a self-signed certificate, the subjectAltName has to go in a different place. Make sure you’ve got this line present and un-commented in the [req] section of the config file:
and then this goes at the end of the [v3_ca] section:
There is (apparently) a limit to the number (or total length) of the alternate names, but I didn’t reach it with 11 domain names.
It’s also possible to add IP addresses to the alt_names section like this:
Then to create the key and self-signed certificate, run commands similar to these:
Note that I move (rather than copy) the key to the private directory to avoid leaving a copy of it lying around unprotected.
You can check that the certificate contains all the domains that you added by running this:
Alternative approach
I haven’t tried this, but according to http://apetec.com/support/GenerateSAN-CSR.htm it’s also possible to create a CSR and then self-sign it like this: