-
Notifications
You must be signed in to change notification settings - Fork 0
Setting up CSR for multi domain SSL certificate
dman7 edited this page Nov 6, 2014
·
1 revision
Heroku's SSL endpoint reference (https://devcenter.heroku.com/articles/ssl-endpoint) is a great start. However, it doesn't help you if you're trying to create a certificate for several domains (e.g. www.denguechat.com and www.denguetorpedo.com). To do that, you need to create a CSR with a custom config file.
For the CSR step, instead of running
openssl req -nodes -new -key server.key -out server.cs
first create openssl.cnf:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = CA
localityName = Locality Name (eg, city)
localityName_default = Berkeley
organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.denguechat.com
DNS.2 = www.denguechat.org
Then run this command:
openssl req -nodes -new -key server.key -out server.csr -config openssl.cnf
Make sure that the other domains are in the generated CSR:
dmitri@macbook: ~/Desktop $ openssl req -in server.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=CA, L=Berkeley, O=Social Apps Lab, CN=www.denguetorpedo.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:cc:0b:3a:c6:fd:a3:97:c5:15:c5:c2:93:4a:c0:
79:ea:11:8b:3d:bb:8e:11:53:2e:f7:1b:cb:29:9c:
03:d6:80:c3:43:82:d1:52:72:47:2a:e9:66:c9:b6:
65:91:8c:b8:37:25:7b:d2:5d:96:a2:2c:32:9c:23:
1a:69:99:70:48:f4:4f:77:98:42:a7:32:d7:4c:72:
5b:48:1a:93:cb:b5:73:76:29:a3:71:d1:a7:05:4c:
41:81:90:a0:c9:87:67:6f:6e:ac:62:ba:71:44:08:
ac:4e:3e:38:71:c6:c8:56:d9:41:e7:c4:66:af:a5:
95:8c:50:b6:ce:68:2e:49:3b:ee:36:ed:a6:bd:f5:
a4:e7:4e:40:a5:91:32:df:7d:8e:dd:60:6e:c2:b1:
34:54:2f:e7:c2:7a:65:18:f5:ff:50:78:fb:d4:d7:
e5:38:f0:25:21:59:df:af:8e:42:58:5f:74:80:e1:
a4:14:a0:a9:b8:bd:71:e3:6d:a5:9d:9f:0a:9f:8c:
65:54:75:e7:14:16:4a:6b:8e:42:88:db:14:62:1c:
5d:43:66:2a:9c:6b:c3:bc:13:e4:49:f8:49:20:29:
c0:eb:99:3e:3b:c0:0a:37:13:b0:ef:9f:94:cb:c5:
32:9f:3a:66:27:b5:bd:de:6e:a3:aa:75:15:c1:da:
f9:ef
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:www.denguechat.com, DNS:www.denguechat.org
Signature Algorithm: sha1WithRSAEncryption
8e:90:c4:5e:37:f7:4c:be:39:9a:a0:0a:e6:c9:4d:4c:5e:e6:
d1:d1:02:c1:49:79:81:d3:af:9b:c2:cf:97:cc:e3:e2:c5:db:
db:39:cc:ce:0d:ee:20:c7:e2:b3:a2:35:e2:19:50:28:64:aa:
bb:3b:0e:25:2f:21:0a:b0:f9:44:65:99:69:66:0c:cb:34:15:
a2:29:ec:00:8c:82:50:d0:1f:a4:91:71:43:30:cc:12:02:8b:
2f:32:db:78:75:e2:38:24:d4:9a:a5:de:19:f0:ce:a1:eb:5d:
6b:a9:d9:60:36:e4:70:e6:e1:f1:b1:29:83:00:af:06:8a:4a:
84:b8:38:1b:73:cf:75:b4:30:47:f4:1e:aa:69:9c:bf:83:ad:
a1:f5:4a:d8:b3:7b:f5:c1:c3:d0:9e:5b:a0:65:70:e2:63:a8:
97:35:2f:aa:ca:6a:36:fd:01:ec:75:9b:a7:4b:82:dd:4d:a7:
3d:a4:9e:9a:7a:35:eb:44:31:a2:25:4d:c8:2b:e5:fe:15:aa:
bc:a9:ca:c8:1c:73:b2:2c:ef:12:ae:a5:5d:f2:62:bd:a0:e6:
7f:fa:ec:21:d6:d2:83:2a:3a:09:3c:5b:09:c9:d7:e7:b8:12:
07:3c:79:cd:4b:69:83:16:cd:6b:27:88:06:d1:3b:8a:f4:11:
d9:b1:3c:d4
Upload server.csr to NameCheap's SSL Activation page (https://manage.www.namecheap.com/myaccount/sslcert/csr.asp?cid=1064875), and make sure that it parses the other domains. Proceed.
== Reference
- Multiple Names on One Certificate: http://apetec.com/support/GenerateSAN-CSR.htm
- Multi-Domain SSL Setup with “Subject Alternative Names”: https://rtcamp.com/wordpress-nginx/tutorials/ssl/multidomain-ssl-subject-alternative-names/