Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to generate a self-signed SAN SSL/TLS certificate using openssl

How to generate a self-signed SAN SSL/TLS certificate using openssl

Generating a self-signed certificate is a common taks and the command to generate one with openssl is well known and well documented. Generating a certificate that includes subjectAltName is not so straght forward however. The following example demonstrates how to generate a SAN certificate without making a permanent change to the openssl configuration.

Generate a list of all required DNS names, (Note: CN will be discarded).

$ export SAN="DNS:www.domain.localdomain,DNS:domain.localdomain"

Generate a configuration with the addition of the san extension.

NOTE: On OSX [EL Capitan] the openssl configuration file path is: /System/Library/OpenSSL/openssl.cnf instead of the RHEL/CentOS default of /etc/pki/tls/openssl.cnf.

$ cat \
	/etc/pki/tls/openssl.cnf \
	- \
	<<-CONFIG > /tmp/www.domain.localdomain.cnf

[ san ]
subjectAltName="${SAN:-root@localhost.localdomain}"
CONFIG

Generate the certificate using the additional parameters -config, -reqext, and -extensions:

$ openssl req \
	-x509 \
	-sha256 \
	-nodes \
	-newkey rsa:2048 \
	-days 365 \
	-reqexts san \
	-extensions san \
	-subj "/CN=www.domain.localdomain" \
	-config /tmp/www.domain.localdomain.cnf \
	-keyout /etc/pki/tls/private/www.domain.localdomain.crt \
	-out /etc/pki/tls/certs/www.domain.localdomain.crt

Generate a new Diffie-Hellman Group

Warning! this takes a while...

$ openssl dhparam \
	-out /tmp/dhparams.pem \
	2048

Append the DH PARAMS to the certificate.

$ cat /tmp/dhparams.pem \
	>> /etc/pki/tls/certs/www.domain.localdomain.crt
@abohmeed

This comment has been minimized.

Copy link

@abohmeed abohmeed commented May 14, 2021

Thanks for the gist.
I think there is a typo in the command, you mentioned

-keyout /etc/pki/tls/private/www.domain.localdomain.crt \
	-out /etc/pki/tls/certs/www.domain.localdomain.crt

while it should be

-keyout /etc/pki/tls/private/www.domain.localdomain.key \
	-out /etc/pki/tls/certs/www.domain.localdomain.crt
@jdeathe

This comment has been minimized.

Copy link
Owner Author

@jdeathe jdeathe commented May 14, 2021

Thanks for the gist.
I think there is a typo in the command, you mentioned

-keyout /etc/pki/tls/private/www.domain.localdomain.crt \
	-out /etc/pki/tls/certs/www.domain.localdomain.crt

while it should be

-keyout /etc/pki/tls/private/www.domain.localdomain.key \
	-out /etc/pki/tls/certs/www.domain.localdomain.crt

The file extension doesn’t matter it outputs a PEM file regardless of what extension you use. It’s just an example and you can use whatever file names or paths you like.

@abohmeed

This comment has been minimized.

Copy link

@abohmeed abohmeed commented May 15, 2021

@jdeathe

This comment has been minimized.

Copy link
Owner Author

@jdeathe jdeathe commented May 15, 2021

I dont think you got me. You are using the same filename and extension for the key and certificate which would result in one file getting overwritten. So while the command is supposed to yield a key and a certificate (2 files) it generates only one.
On Fri, 14 May 2021 at 8:38 PM James Deathe @.> wrote: @.* commented on this gist. ------------------------------ Thanks for the gist. I think there is a typo in the command, you mentioned -keyout /etc/pki/tls/private/www.domain.localdomain.crt \ -out /etc/pki/tls/certs/www.domain.localdomain.crt while it should be -keyout /etc/pki/tls/private/www.domain.localdomain.key \ -out /etc/pki/tls/certs/www.domain.localdomain.crt The file extension doesn’t matter it outputs a PEM file regardless of what extension you use. It’s just an example and you can sue whatever file names or paths you like. — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://gist.github.com/4c08460eb0bac99da32748bcbda39333#gistcomment-3743098, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACKL3QW4ERYVVNIHXVSNFDTNVU3ZANCNFSM4443SBMA .
-- Sent from Gmail Mobile

If you look again, you will see the paths are not the same; the output will be 2 files in 2 different directories. If you did change paths to match openssl would still generate a valid combined pem file containing both the certificate, private key to which you append the DH PARAMS. HAProxy requires a single pem file so using the same output path for key and certificate saves you having to concatenate later.

@abohmeed

This comment has been minimized.

Copy link

@abohmeed abohmeed commented May 15, 2021

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment