Skip to content

Instantly share code, notes, and snippets.

@KeithYeh

KeithYeh/Self-Signed SSL with SAN.md

Created October 14, 2017 13:12
Show Gist options
  • Star 75 You must be signed in to star a gist
  • Fork 32 You must be signed in to fork a gist
  • Save KeithYeh/bb07cadd23645a6a62509b1ec8986bbc to your computer and use it in GitHub Desktop.
Save KeithYeh/bb07cadd23645a6a62509b1ec8986bbc to your computer and use it in GitHub Desktop.
Download ZIP
Create self-signed SSL certificate with SubjectAltName(SAN)
Raw
Self-Signed SSL with SAN.md

How to create a self-signed SSL Certificate with SubjectAltName(SAN)

After Chrome 58, self-signed certificate without SAN is not valid anymore.

Step 1: Generate a Private Key

openssl genrsa -des3 -out example.com.key 2048

Step 2: Generate a CSR (Certificate Signing Request)

openssl req -new -key example.com.key -out example.com.csr
Enter pass phrase for example.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:XX
State or Province Name (full name) []:State
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:BU
Common Name (eg, your name or your server's hostname) []:*.example.com
Email Address []:admin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Remove Passphrase from Key

cp example.com.key example.com.key.org
openssl rsa -in example.com.key.org -out example.com.key

Step 4: Create config file for SAN

touch v3.ext

File content

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName         = DNS:example.com, DNS:*.example.com
issuerAltName          = issuer:copy

Step 5: Generating a Self-Signed Certificate

openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 3650 -sha256 -extfile v3.ext

Reference

@mnbucher
Copy link

worked like a charm, many thanks!

@gutierrezps
Copy link

At Step 1, you can generate an unprotected private key by omitting the -des3 flag:

openssl genrsa -out example.com.key 2048

Doing so makes Step 3 unnecessary.

@calebAtApica
Copy link

This saved me a lot of headache, thanks for writing this down.

@gvijay452
Copy link

Good one

@MathiasMaier
Copy link

Thanks!

@uday-cohere
Copy link

Quick note, if you leave basicConstraints = CA:TRUE, Firefox will think your cert is a CA and deny your request.

Omitting that, will fix the issue you're getting the MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY issue. Worth noting that as far as I know, Firefox will deny all self signed certs, and you can't get around it with security exceptions.

Your best bet is to create a CA - and then use that to sign the CSR as above. Good luck!

@JackMBurch
Copy link

Actual hero

@andytzuen
Copy link

Thank you!

@dasgoll
Copy link

dasgoll commented Sep 30, 2023

Worked like a charm!

@vineet4183
Copy link

Awesome

@billmcnamara
Copy link

Your best bet is to create a CA - and then use that to sign the CSR as above. Good luck!
Hi, can you give instructions on how to actually do this! I'm new to this and need to do this at the moment!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment