Skip to content

Instantly share code, notes, and snippets.

@edupr91
Forked from KeithYeh/Self-Signed SSL with SAN.md
Created November 15, 2022 08:53
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save edupr91/e710917c29c2509b1542d7dc10dd9dcb to your computer and use it in GitHub Desktop.
Create self-signed SSL certificate with SubjectAltName(SAN)

How to create a self-signed SSL Certificate with SubjectAltName(SAN)

After Chrome 58, self-signed certificate without SAN is not valid anymore.

Step 1: Generate a Private Key

openssl genrsa -des3 -out example.com.key 2048

Step 2: Generate a CSR (Certificate Signing Request)

openssl req -new -key example.com.key -out example.com.csr
Enter pass phrase for example.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:XX
State or Province Name (full name) []:State
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:BU
Common Name (eg, your name or your server's hostname) []:*.example.com
Email Address []:admin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Remove Passphrase from Key

cp example.com.key example.com.key.org
openssl rsa -in example.com.key.org -out example.com.key

Step 4: Create config file for SAN

touch v3.ext

File content

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName         = DNS:example.com, DNS:*.example.com
issuerAltName          = issuer:copy

Step 5: Generating a Self-Signed Certificate

openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 3650 -sha256 -extfile v3.ext

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment