OpenSSL Creating a CSR with Additional names

As part of the new bailout project here at Gconnect, I needed an SSL cert with an additional domain in it. the first is the name of the server, the second is the name of the cluster. In order to get a certificate installed, there are a few steps to follow. First we’ll need some rsa keys generating, where the key file is called key.pem:

openssl genrsa -out key.pem 2048

Now we can generate a CSR (certificate signing request), but only after we have added a special config file, which we’ll call cert-config.txt

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = GB
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Lancashire
localityName = Locality Name (eg, city)
localityName_default = Altham
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40

[v3_req] 
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1   = extra.domain-name.com

Now we can do a CSR generation:

# openssl req -new -key key.pem -out server.csr -config cert-config.txt 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Lancashire]:
Locality Name (eg, city) [Altham]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:host.domain-name.com
Email Address []:bill@gates.com  

Now you should have a file called server.csr, which you can check by doing this:

openssl req -text -noout -in server.csr

The output should contain something like this:

     Attributes:
        Requested Extensions:
            X509v3 Key Usage: 
                Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:extra.domain-name.com

Now we can submit this to our certificate provider of choice.

Hope that helps!

This entry was posted in FreeBSD Administration and tagged , , , , . Bookmark the permalink.

Leave a Reply