Skip to content

Instantly share code, notes, and snippets.

@bitoiu

bitoiu/self-signed-wildcard-cert-for-ghes.md

Last active September 19, 2023 09:37
Show Gist options
  • Star 29 You must be signed in to star a gist
  • Fork 10 You must be signed in to fork a gist
  • Save bitoiu/9e19962b991a71165268 to your computer and use it in GitHub Desktop.
Save bitoiu/9e19962b991a71165268 to your computer and use it in GitHub Desktop.
Download ZIP
Self-Signed Wildcard certificate with SAN using openssl / SSL
Raw
self-signed-wildcard-cert-for-ghes.md

Copy the default template of openssl.cnf to a writable location.

cp /System/Library/OpenSSL/openssl.cnf src

Uncomment the req_extensions = v3_req

req_extensions = v3_req # The extensions to add to a certificate request

Add subjectAltName to v3_req section

[ v3_req ]
 
# Extensions to add to a certificate request
 
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

Add the main hostname and the wildcard to a new [alt_names] section

[alt_names]
DNS.1 = yourdomain.com
DNS.2 = *.yourdomain.com

For example, for octodmeo.com

[alt_names]
DNS.1 = octodemo.com
DNS.2 = *.octodemo.com

Run the following and fill all the essential information, especially the CN (Common Name):

openssl genrsa -out hostname.key 2048
openssl rsa -in hostname.key -out hostname-key.pem
openssl req -new -key hostname-key.pem -out hostname-request.csr
openssl x509 -req -extensions v3_req -days 365 -in hostname-request.csr -signkey hostname-key.key -out hostname-cert.pem -extfile <path to openssl.conf>
@thishandle
Copy link

Thanks for this, many other instructions failed me.
one note : -signkey hostname-key.pem should be -signkey hostname-key.key in the last command example

@danemacmillan
Copy link

A couple of notes:

  • Remove -des3 from first command to avoid providing a passphrase.
  • Pass -sha256 to last command to ensure it is not using SHA1, which is not recommend for SSL certificates anymore.

@bitoiu
Copy link
Author

bitoiu commented Sep 25, 2020

Cheers @thishandle and @danemacmillan :octocat:❤️

@bitoiu
Copy link
Author

bitoiu commented Sep 25, 2020

Pass -sha256 to last command to ensure it is not using SHA1, which is not recommend for SSL certificates anymore.

Does it matter where? So would this be ok?

openssl x509 -req -extensions v3_req -days 365 -in hostname-request.csr -signkey hostname-key.pem -out hostname-cert.pem -extfile <path to openssl.conf>

@lwaggonerExpedia
Copy link

openssl.conf is in apache folder by default (under conf) - or you can download the default somewhere and edit it.

This seems to work for me (note I used hostname.key not hostname-key.key - there is only hostname-key.pem and hostname.key) - otherwise you get error:

I ran this from my apache dir:

openssl x509 -sha256 -req -extensions v3_req -days 365 -in hostname-request.csr -signkey hostname.key -out hostname-cert.pem -extfile ./conf/openssl.cnf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment