Create self-signed SSL certificate with SubjectAltName(SAN)

Self-Signed SSL with SAN.md

How to create a self-signed SSL Certificate with SubjectAltName(SAN)

After Chrome 58, self-signed certificate without SAN is not valid anymore.

Step 1: Generate a Private Key

openssl genrsa -des3 -out example.com.key 2048

Step 2: Generate a CSR (Certificate Signing Request)

openssl req -new -key example.com.key -out example.com.csr

Enter pass phrase for example.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:XX
State or Province Name (full name) []:State
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:BU
Common Name (eg, your name or your server's hostname) []:*.example.com
Email Address []:admin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Remove Passphrase from Key

cp example.com.key example.com.key.org
openssl rsa -in example.com.key.org -out example.com.key

Step 4: Create config file for SAN

touch v3.ext

File content

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName         = DNS:example.com, DNS:*.example.com
issuerAltName          = issuer:copy

Step 5: Generating a Self-Signed Certificate

openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 3650 -sha256 -extfile v3.ext

Reference

• http://www.akadia.com/services/ssh_test_certificate.html
• https://alexanderzeitler.com/articles/Fixing-Chrome-missing_subjectAltName-selfsigned-cert-openssl/
• https://www.ibm.com/support/knowledgecenter/SSB23S_1.1.0.12/gtps7/cfgcert.html

worked like a charm, many thanks!

At Step 1, you can generate an unprotected private key by omitting the -des3 flag:

openssl genrsa -out example.com.key 2048

Doing so makes Step 3 unnecessary.

This saved me a lot of headache, thanks for writing this down.

Good one

Thanks!

Quick note, if you leave basicConstraints = CA:TRUE, Firefox will think your cert is a CA and deny your request.

Omitting that, will fix the issue you're getting the MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY issue. Worth noting that as far as I know, Firefox will deny all self signed certs, and you can't get around it with security exceptions.

Your best bet is to create a CA - and then use that to sign the CSR as above. Good luck!

Actual hero

Thank you!

Worked like a charm!

Awesome

Your best bet is to create a CA - and then use that to sign the CSR as above. Good luck!
Hi, can you give instructions on how to actually do this! I'm new to this and need to do this at the moment!

Hi, can you give instructions on how to actually do this! I'm new to this and need to do this at the moment!

create a root CA

openssl req -x509 -new -nodes -key example.com.key -sha256 -days 1024 -out rootCA.pem

Then use is to sign the certificate

openssl x509 -req -in example.com.csr -CA rootCA.pem -CAkey example.com.key -CAcreateserial -out example.com.crt -days 3650 -sha256 -extfile v3.ext