Certified, with multiple identities

Thu, Oct 23, 2008

I’ve just had to generate a new self-signed X.509 certificate for an internal website at work, and I thought I’d generate a certificate with multiple names, so we can refer to it as “www.foo.org”, and “foo.org”, and “machine.foo.org”, and all of the other variants that people are likely to generate.

It wasn’t easy to find the exact incanctations needed, but for the record, here they are:

The hardest bit is understanding the structure of the configuration file, and what bits do what. The documentation (i.e. man pages) isn’t all that clear about the structure of it all. Let’s assume that the machine is called “colin.example.com”, and also serves www.colin.example.com. There are three sections needed in the config file. I’ll go through each one in turn.

The first section, above, is the “base” for the request. I think that the section name must be [req], and that this matches the openssl req command used later on. The distinguished_name parameter refers to a section in the file (which can have any name), which contains the DN for the certificate. I’m not convinced that the x509_extensions actually does anything here.

The second section is the one referred to by the distinguished_name parameter in the first section. The first chunk of this section is the prompts for the various DN sections when the certificate is generated. The second chunk (with the _default suffixes) gives the default answers for those prompts.

The last section, as with the second section, can have any name you like. It’s referred to by the x509_extensions parameter in the first section, but, as I said, I’m not sure if that has any effect. You can supply a comma-separated list of alternative names as values to the subjectAltName parameter here. There are a whole range of other options that can be supplied here, too. See man x509v3_config for the options and syntaxes.

Create the private key data:

Create a certificate request based on the data in the config file. The -config option refers to the config file we created above. The -extensions option points at the section of the file containing the extension parameters.

Sign the certificate request:

Inspect the certificate:

The important bits to see here are that the version number is 3, and that there is an X509v3 Subject Alternative Name section. If you’ve got those, then your self-signed certificate is ready to go.