As part of the new bailout project here at Gconnect, I needed an SSL cert with an additional domain in it. the first is the name of the server, the second is the name of the cluster. In order to get a certificate installed, there are a few steps to follow. First we’ll need some rsa keys generating, where the key file is called key.pem:
openssl genrsa -out key.pem 2048
Now we can generate a CSR (certificate signing request), but only after we have added a special config file, which we’ll call cert-config.txt
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = GB stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Lancashire localityName = Locality Name (eg, city) localityName_default = Altham organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = extra.domain-name.com
Now we can do a CSR generation:
# openssl req -new -key key.pem -out server.csr -config cert-config.txt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: State or Province Name (full name) [Lancashire]: Locality Name (eg, city) [Altham]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:host.domain-name.com Email Address []:bill@gates.com
Now you should have a file called server.csr, which you can check by doing this:
openssl req -text -noout -in server.csr
The output should contain something like this:
Attributes: Requested Extensions: X509v3 Key Usage: Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:extra.domain-name.com
Now we can submit this to our certificate provider of choice.
Hope that helps!