Skip to content

Instantly share code, notes, and snippets.

@KeithYeh
Created October 14, 2017 13:12
  • Star 55 You must be signed in to star a gist
  • Fork 26 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Create self-signed SSL certificate with SubjectAltName(SAN)

How to create a self-signed SSL Certificate with SubjectAltName(SAN)

After Chrome 58, self-signed certificate without SAN is not valid anymore.

Step 1: Generate a Private Key

openssl genrsa -des3 -out example.com.key 2048

Step 2: Generate a CSR (Certificate Signing Request)

openssl req -new -key example.com.key -out example.com.csr
Enter pass phrase for example.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:XX
State or Province Name (full name) []:State
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:BU
Common Name (eg, your name or your server's hostname) []:*.example.com
Email Address []:admin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Remove Passphrase from Key

cp example.com.key example.com.key.org
openssl rsa -in example.com.key.org -out example.com.key

Step 4: Create config file for SAN

touch v3.ext

File content

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName         = DNS:example.com, DNS:*.example.com
issuerAltName          = issuer:copy

Step 5: Generating a Self-Signed Certificate

openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 3650 -sha256 -extfile v3.ext

Reference

@mnbucher
Copy link

worked like a charm, many thanks!

@gutierrezps
Copy link

At Step 1, you can generate an unprotected private key by omitting the -des3 flag:

openssl genrsa -out example.com.key 2048

Doing so makes Step 3 unnecessary.

@calebAtApica
Copy link

This saved me a lot of headache, thanks for writing this down.

@gvijay452
Copy link

Good one

@MathiasMaier
Copy link

Thanks!

@uday-cohere
Copy link

Quick note, if you leave basicConstraints = CA:TRUE, Firefox will think your cert is a CA and deny your request.

Omitting that, will fix the issue you're getting the MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY issue. Worth noting that as far as I know, Firefox will deny all self signed certs, and you can't get around it with security exceptions.

Your best bet is to create a CA - and then use that to sign the CSR as above. Good luck!

@JackMBurch
Copy link

Actual hero

@andytzuen
Copy link

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment