marekhrabe/openssl-self-signed-san-certificate.md

## openssl-self-signed-san-certificate.md

      
    Raw
  

              openssl-self-signed-san-certificate.md
            
          
    How to generate a self-signed SAN SSL/TLS certificate using openssl

Generating a self-signed certificate is a common taks and the command to generate one with openssl is well known and well documented. Generating a certificate that includes subjectAltName is not so straght forward however. The following example demonstrates how to generate a SAN certificate without making a permanent change to the openssl configuration.
Generate a list of all required DNS names, (Note: CN will be discarded).

$ export SAN="DNS:www.domain.localdomain,DNS:domain.localdomain"

Generate a configuration with the addition of the san extension.

NOTE: On OSX [EL Capitan] the openssl configuration file path is: /System/Library/OpenSSL/openssl.cnf instead of the RHEL/CentOS default of /etc/pki/tls/openssl.cnf.
$ cat \
	/etc/pki/tls/openssl.cnf \
	- \
	<<-CONFIG > /tmp/www.domain.localdomain.cnf

[ san ]
subjectAltName="${SAN:-root@localhost.localdomain}"
CONFIG

Generate the certificate using the additional parameters -config, -reqext, and -extensions:

$ openssl req \
	-x509 \
	-sha256 \
	-nodes \
	-newkey rsa:2048 \
	-days 365 \
	-reqexts san \
	-extensions san \
	-subj "/CN=www.domain.localdomain" \
	-config /tmp/www.domain.localdomain.cnf \
	-keyout /etc/pki/tls/private/www.domain.localdomain.crt \
	-out /etc/pki/tls/certs/www.domain.localdomain.crt

Generate a new Diffie-Hellman Group

Warning! this takes a while...
$ openssl dhparam \
	-out /tmp/dhparams.pem \
	2048

Append the DH PARAMS to the certificate.
$ cat /tmp/dhparams.pem \
	>> /etc/pki/tls/certs/www.domain.localdomain.crt