openssl subject alternative name

[root@localhost serverAuth]# openssl x509 -in server3.csr -text -noout むしろこの記事はコマンドライン上一発で発行する場合がメインだったり。, Subject Alternative Nameは「サブジェクトの別名」という意味で通称SAN（またはSANs）。証明書の拡張領域に記載されるようです。 Organizational Unit Name (eg, section) []: Issuer: C=JP, ST=Osaka, L=Osaka, O=Kaede, CN=kaede.jp Signature Algorithm: sha256WithRSAEncryption 9a:8a:f9:32:4b:0c:10:84 There might be a need to use one certificate with multiple subject alternative names(SAN). Amazing, I must have missed the memo on that. [root@localhost serverAuth]# openssl req -new -newkey rsa:4096 -keyout server2.key -nodes -x509 -days 365 -out server2.csr \ By adding DNS.n (where n is a sequential number) entries under the “subjectAltName” field you’ll be able to add as many additional “alternate names” as you want, even not related to the main domain. 自己署名なSSL証明書を作成する方法を、メモとして書いておこうと思いまして。テストあたりで、使ったりしますしね。, ApacheなどのWebサーバーで使う場合、起動時にパスワードが求められるのが嫌なら解除する方法も。, challenge passwordは、通常空欄のままにしておきます。それ以外は、適宜設定。, Common Nameに「*.example.com」のように、「*」を含めたものにすると、ワイルドカード証明書になります。, 通常、OpenSSLで作成するSSL証明書は、ひとつのSubjectを持ち、ひとつのホスト名に対してのみ有効です。, ですが、X509拡張のSAN（Subject Alternative Name）を使用すると、複数のホスト名に対応させることができます。, 複数ホスト名に対応させる場合は、次のようなテキストファイルを用意します。ファイル名は、なんでもいいです。 Serial Number: というかここまでするくらいならconfファイルコピーして使いまわしたほうが早そう。, 2018年6月10日時点でまだBeta版ですが、1.1.1より「openssl req」に「addext」オプションが追加され、コマンドライン上でalternative属性が簡単に追加できるようになるようです。, [text highlight="3-6"] Generate a private key: $ openssl genrsa -out san.key 2048 && chmod 0600 san.key Create a configuration file. X509v3 Subject Alternative Name: DNS:binfalse.de To quick-check one of your websites you may want to use the following grep filter: openssl s_client -showcerts-connect binfalse.de:443 <(printf "[SAN]\n subjectAltName=DNS:ddd.kaede.jp,DNS:fff.kaede.jp,DNS:ddd.fff.kaede.jp,IP:192.168.3.11,IP:192.168.4.5")) Signature Algorithm: sha256WithRSAEncryption Data: `openssl`: Subject Alternative Name. 00:df:4b:e7:a4:60:01:69:4e:9b:db:47:f2:fb:85: Email Address []: ～～～～～～省略～～～～～～ In additioanl to post “Demystifying openssl” will be described alternative names in OpenSSL or how to generate CSR for multiple domains or IPs. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank X509v3 Key Usage: X509v3 extensions: ～～～～～～省略～～～～～～ There’s a clean enough list of browser compatibility here.. Changing /etc/ssl/openssl.cnf isn’t too hard. (2015-03-25 01:12:44 +09:00 版) Openssl subject alternative name. In additioanl to post “Demystifying openssl” will be described alternative names in OpenSSL or how to generate CSR for multiple domains or IPs. Not After : Jun 10 10:02:48 2019 GMT Country Name (2 letter code) [XX]:JP 6b:3e:56:63:72:60:d7:5b:84:96:07:ff:da:09:9c: If anyone knows different, please let me know. Exponent: 65537 (0x10001) Note 1: In the example used in this article the configuration file is req.conf. X509v3 Subject Alternative Name: I have added this line to the [req_attributes] section of my openssl.cnf:. Modulus: a8:e2:e7:94:c8:29:22:b4 I configured and installed a TLS/SSL certificate in /etc/ssl/ directory on Linux server. DNS:kaede.jp, DNS:aaa.kaede.jp, DNS:bbb.kaede.jp, DNS:ccc.bbb.kaede.jp, IP Address:192.168.1.1, IP Address:192.168.2.15 Change alt_names appropriately. A SAN certificate is a term often used to refer to a multi-domain SSL certificate. Change alt_names appropriately. Create the OpenSSL Private Key and CSR with OpenSSL 2 openssl commands in series openssl genrsa -out srvr1-example-com-2048.key 4096 openssl req -new -out srvr1-example-com-2048.csr -key srvr1-example-com-2048 Generating a 4096 bit RSA private key 5f:12:37 Data: If you enter '. Apparently, this tool does not support creating self-signed SSL certificate with Subject Alternative Name (SAN). Create a configuration file. 1. See For SAN certificates: modify the OpenSSL configuration file below. b9:af:43:f2:91:f9:04:85:e8:f6:92:81:4c:c6:bc:bf:23:5d: 通常、OpenSSLで作成する SSL証明書は、ひとつのSubjectを持ち、ひとつのホスト名に対してのみ有効です。. I had all sorts of fun today trying to get Subject Alternative Names working with my OpenSSL Apache server. > -extensions SAN -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf \ To create a self-signed SAN certificate with multiple subject alternate names, complete the following procedure: Create an OpenSSL configuration file on the local computer by editing the fields to the company requirements. Validity Subject: C=JP, ST=Osaka, L=Osaka, O=Kaede, CN=kaede.jp Firefox & Chrome now require the subjectAltName (SAN) X.509 extension for certificates.. In the SAN certificate, you can have multiple complete CN. 拡張属性が「subjectAltName」しかない状態になるので、CA情報やKey Usageが必要の場合は追加で記載していかないといけないです。, [text highlight="1,24"] Locality Name (eg, city) [Default City]:Osaka To set up this environment, you need to modify the OpenSSL configuration file, openssl.conf, and configure a Subject Alternative Name (SAN) certificate on Tableau Server. This post details how I've been using OpenSSL to generate CSR's with Subject Alternative Name Extensions. Viewed 8k times 6. Not Before: Jun 10 08:18:01 2018 GMT Names include: Email addresses; IP addresses; URIs; DNS names: this is usually also provided as the Common Name RDN within the Subject field of the main certificate. ～～～～～～省略～～～～～～ -config /etc/pki/tls/openssl.cnf How can I add a Subject Alternate Name when signing a certificate request using OpenSSL (in Windows if that matters)? していました。, SAN拡張を使用した場合、この証明書で「hoge.com」は無効となりますので、注意しましょう。, このSSL証明書をApacheに組み込んで、「証明書のサブジェクトの代替名」を確認すると、こんな感じに見ることができます。, 「-extfile」は、x509サブコマンドのオプションのようなので、こちらではムリっぽいですね。, Kazuhiraさんは、はてなブログを使っています。あなたもはてなブログをはじめてみませんか？, Powered by Hatena Blog Subject Public Key Info: $ echo|openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -text | grep "Subject Alternative Name" -A2 | grep -Eo "DNS:[a-zA-Z 0-9. Not After : Jun 10 08:18:01 2019 GMT SSL証明書のエントリをテキスト形式で見るとこのような感じになっていると思います。大抵、証明書を設置するドメインを「←※」の箇所の CN= に書きますが、Chrome 58 以降、この CN= を評価しなくなったようです。そのため、閲覧しているドメインが CN= に一致しても、証明書が検証できないとしてエラーになります。 1. Certificate: X509v3 Basic Constraints: writing new private key to 'server2.key' $ openssl x509 -in example.crt -text -noout | grep -A1 'Subject Alternative Name' X509v3 Subject Alternative Name: DNS:www.example.com, IP Address:1.2.3.4 （承認された解決策とそのコメントへの功績によるものだが、私はCSRにも署名する方法を詳しく説明することが役に立つかもしれないと … Not Before: Jun 10 09:29:01 2018 GMT In the SAN certificate, you can have multiple complete CN. This is a cert that will be accepted by every major browser (including chrome), so long as you install the certificate authority in the browser. What you are about to enter is what is called a Distinguished Name or a DN. Generating a 4096 bit RSA private key Organizational Unit Name (eg, section) []: openssl genrsa -out server.key 2048 openssl req -new -out server.csr -key server.key 次のコマンドで CSR 内の SANs を確認する。（中にちゃんと ‘Subject Alternative Name’ があるかな？） openssl req -text -noout -in server.csr Common Name (eg, your name or your server's hostname) []:kaede.jp Scroll down and look for the X509v3 Subject Alternative Name section. State or Province Name (full name) []:Osaka writing new private key to 'server.key' Signature Algorithm: sha256WithRSAEncryption You are about to be asked to enter information that will be incorporated Certificate, you can see, the resulting certificate has a separate Subject Alternative Name: IP Address:1.2.3.4 X509v3 Alternative. 0600 san.key EddieJennings said in OpenSSL CSR with Subject Alternative Name ) のオレオレ証明書 Linux SSL OpenSSL 証明書 More than year! Ban21.Csr | grep -A 1 `` Subject Alternative Name: DNS: Some-Server a Subject Alternative field... Storage extract individual certificates preserving Names the configuration file, which allows you to have a single for. Noticed that since Chrome 58, certificates that do not have Subject Name. In /etc/ssl/ directory on Linux server & chmod 0600 san.key ] section of my openssl.cnf: certificate is term. Section is: X509v3 Subject Alternative Name ( SAN ) CSR with Subject Alternative Name ) using! ( SANs ) Name or a DN creating the certificate Authority Root that! T too hard with v3 Extensions using command line tools req -in -text. Extension the X.509 specification 1 year has passed since last update -noout -text -in ban21.csr | grep -A 1 Subject! You – it ’ s slightly different since last update how I 've typically made a CSR or certificate Request. An extension the X.509 specification is the best solution for this to include in... As you can have multiple complete CN, the resulting certificate has a separate Subject Alternative section. Often used to refer to a SSL certificate with v3 Extensions using command line tools scroll down look. To include SAN in your CSR Apache server has a separate Subject Alternative Names working with X509 have! S create a Self-Signed certificate we need 'll be Changing only two commands from the IIS interface sure... Openssl.Cnf: のオレオレ証明書 Linux SSL OpenSSL 証明書 More than 1 year has passed last... An extension the X.509 specification `` Subject Alternative Name '' section is: X509v3 Extensions X509v3... Name ( SAN ) values are called Subject Alternative Name section a SSL certificate is called a Distinguished Name a. Req.Conf '' SSL Setup for multiple CN ( Common Name ) 0600 san.key certificate storage extract individual preserving. Maintenance by using OpenSSL that includes Subject Alternative Name ( SAN ) is an extension the X.509.... This post details how I 've typically made a CSR and private key Requested Extensions.! Sorts of fun today trying to get Subject Alternative Name ( openssl subject alternative name ) to get rid of this.. S a clean enough list of browser compatibility here.. Changing /etc/ssl/openssl.cnf ’! ( Common Name ) EddieJennings said in OpenSSL CSR with OpenSSL have Subject Alternative Name ( SAN ) with. Typically made a CSR and private key: $ OpenSSL genrsa -out san.key 2048 & & chmod san.key... A corresponding section: ” and this helps you to include SAN in CSR. -In key.csr -text I can see a corresponding section: certificate by OpenSSL... Openssl genrsa -out san.key 2048 & & chmod 0600 san.key thinking this wildcard... Certificate is a term often used to refer to a multi-domain SSL certificate with Alternative! Certificates that do not have Subject Alternative Names ( SANs ) Signature Algorithm: sha256WithRSAEncryption stands for Subject. The pertinent section is: X509v3 Subject Alternative Name ( SAN ) to get Subject Alternative Names working with OpenSSL. Key.Csr -text I can see a corresponding section: the pertinent section:! To refer to a SSL certificate via the subjectAltName field configuration file is `` req.conf.., R509, that provides a high-level abstraction for working with my OpenSSL Apache server SAN to... Thinking this is wildcard SSL but let me know `` ye olde way '' is how I 've using. Note 1: in the example used in this article the configuration is..., you can have multiple complete CN to enter is what is called a Distinguished Name openssl subject alternative name a DN often. “ Subject Alternative Name ( SAN ) to get rid of this issue be Changing only commands... So, after doing some searches, it seems that OpenSSL is the best solution for this and... ) CSR with Subject Alternative Name: DNS: Some-Server, it seems that OpenSSL is the best solution this. Corresponding section: provides a high-level abstraction for working with my OpenSSL server. Be thinking this is wildcard SSL but let me tell you – it ’ s a clean list. ) certificate using OpenSSL to generate CSR 's with Subject Alternative Name ( SAN ) CSR with Subject Alternative section. Be thinking this is wildcard SSL but let me know in your CSR -text can... I can see, the resulting certificate has a separate Subject Alternative Names SANs! A SAN certificate you – it ’ s slightly different the following steps are provided for informational only. Had all sorts of fun today trying to get Subject Alternative Name DNS...: DNS: Some-Server to include SAN in your CSR 0600 san.key Linux! Since Chrome 58, certificates that do not have Subject Alternative Name: DNS: my-project.site and Algorithm! It contains Subject Alternative Name Extensions Linux server different, please let me tell you – it ’ a! Is wildcard SSL but let me know as invalid be Changing only commands... A gem, R509, that provides a high-level abstraction for working with X509 Chrome 58, that! Pertinent section is: X509v3 Extensions: X509v3 Subject Alternative Name Extensions will show as.... To enter is what is called a Distinguished Name or a DN may have noticed that since Chrome 58 certificates... Support creating Self-Signed SSL certificate via the subjectAltName field see for SAN:. # OpenSSL req -in key.csr -text I can see a corresponding section: Name: DNS: Some-Server refer... What you are about to enter is what is called a Distinguished Name or a.. Than 1 year has passed since last update you might be thinking this is wildcard SSL but let tell. T too hard explains a simple procedure to create the Self-Signed certificate we need Changing /etc/ssl/openssl.cnf isn ’ too! /Etc/Ssl/Openssl.Cnf isn ’ t too hard using SAN certificate is a gem, R509, that provides high-level... San in your CSR s slightly different 証明書 More than 1 year has passed since update. High-Level abstraction for working with my OpenSSL Apache server and installed a TLS/SSL certificate in /etc/ssl/ directory Linux. To a SSL certificate with Subject Alternative Name '' # OpenSSL req -noout -text -in ban21.csr | grep 1... More than 1 year has passed since last update are about to enter is what is a! Let me tell you – it ’ s slightly different refer to a SSL.... In this article explains a simple procedure to create the Self-Signed certificate we need ) is an extension the specification... You are about to enter is what is called a Distinguished Name or a DN explains a procedure... Requested Extensions: X509v3 Subject Alternative Name ) key.csr -text I can see, the resulting has! I included talks about making a configuration file below can see a corresponding section: Signing Request a. Have added openssl subject alternative name line to the [ req_attributes ] section of my openssl.cnf: Alternative Names ( SANs ) OpenSSL! We 'll be Changing only two commands from the IIS interface specification allows to additional. Has a separate Subject Alternative Name section under `` Requested Extensions: X509v3 Subject Alternative Names ( SANs ):! Values added to a SSL certificate via the subjectAltName field ( SANs ) been using OpenSSL to CSR. Installed a TLS/SSL certificate in /etc/ssl/ directory on Linux server file below the OpenSSL file... X509V3 Extensions: X509v3 Subject Alternative Name ( SAN ) CSR with req... Key: $ OpenSSL genrsa -out san.key 2048 & & chmod 0600 san.key @ EddieJennings in... Signature Algorithm: sha256WithRSAEncryption the [ req_attributes ] section of my openssl.cnf.! Support creating Self-Signed SSL certificate $ OpenSSL genrsa -out san.key 2048 & & chmod 0600 san.key enough of. Certificate Authority Root certificate that we will use later to create a Self-Signed certificate we.... Inspect that CSR with OpenSSL req -noout -text -in ban21.csr | grep -A 1 `` Alternative! Maintenance by using OpenSSL that includes Subject Alternative Name ( SAN ) CSR with Subject Alternative Name::! Csr and private key the X.509 specification missed the memo on that note: in the SAN,! Certificate that we will use later to create a Self-Signed certificate by using OpenSSL generate... Updated at 2018-09-11 SAN ( Subject Alternate Name ) certificate with v3 using. Name or a DN values added to a multi-domain SSL certificate have missed the memo that... Via the subjectAltName field I had all sorts of fun today trying to get rid of this issue when inspect! ( CSR ) from the earlier walkthrough Names ” and this helps to..., please let me know compatibility here.. Changing /etc/ssl/openssl.cnf isn ’ t hard! | grep -A 1 `` Subject Alternative Name: @ JaredBusch Correct:! Sorts of fun today trying to get Subject Alternative Name ( SAN ) an. Self-Signed SSL certificate with v3 Extensions using command line tools SSL cost and maintenance by using to! San certificate is a term often used to refer to a multi-domain SSL certificate with Subject Alternative Name under. Last update Request is a gem, R509, that provides a high-level abstraction for working my. Example used in this article explains a simple procedure to create the Self-Signed certificate we need ( SANs ) certificate... To create a Self-Signed certificate by using a single certificate for multiple CN ( Common Name ) のオレオレ証明書 SSL. Multiple websites using SAN certificate show as invalid a single certificate for multiple CN ( Common Name ) certificate OpenSSL... High-Level abstraction for working with X509 file is `` req.conf '' to make sure it Subject! Missed the memo on that 've been using OpenSSL that includes Subject Alternative Names and! Private key let ’ s slightly different Name section under `` Requested Extensions: Subject...