Very Noisy

I'm Mark Kennedy. I'm part of the furniture at Eurogamer Network Ltd. and I do my best to lead the web development team there.

Pals

Categories

How to create self signed certificates for multiple domains

25 January 2010

If you want to host multiple https sites on a single IP using name virtual hosts, then you'll need to use a single certificate due to way SSL works. To make this work you need to either make a wildcard domain, which only works for subdomains of a single domain (e.g. *.mydomain.tld) or set one of the domains as the 'common name' and then the entire list of desired domains in the in the x509v3 extension area.

If you want to use a 'multiple site' (not a subdomain wildcard certificate) for whatever reason (they are cheaper for a start) then the issuing authority will have an interface for specifying the extra domains. If you want to test out your server configuration first, before potentially wasting a lump of cash on the certificate, then you'll want to do a bit of self signing using openssl.

However, the alternative names (formally: 'subject alternative name') stuff isn't well documented. Here's what I did:

Choose a permanent location on disk for your certificates and keys.

In the example, my domain is '''domain.tld''' and I'm setting up two subdomains: www and www2. 

cd [that location]

Generate a lovely private key and keep it somewhere safe (safe = private but backed up - if you lose it, you'll have to make a new certificate): 

openssl genrsa -out www.domain.tld.key 1024

Don't use a passkey - you'll only have to enter it every time you start up Apache.

Generate a certificate request file: 

openssl req -new -key www.domain.tld.key -out www.domain.tld.csr

Answer the questions! For 'Common Name' put the first domain name (www.domain.tld). Be careful to make sure all the info is correct.

Create a extensions config file for the certificate generation (you can throw this away when you're done). This is the important bit for getting the extra domains in. You need to list ALL the domains, since the Common Name you set above is only used in the absence of the subjectAltNames field (I think).

In www.domain.tld.cnf: 

subjectAltName=DNS:www.domain.tld,DNS:www2.domain.tld

Then run: 

openssl x509 -req -days 365 \
  -in www.domain.tld.csr \
  -signkey www.domain.tld.key \
  -text \
  -extfile  www.domain.tld.cnf \
  -out www.domain.tld.crt

Related tags: https, ssl certificate, virtual hosts