Quick Self Signed SSL Certificate with SAN

There are thousands of articles and entries in stackexchange but none of them worked for me out of the box. So after hours of battling with this issue here is my short recipe.

Create the Root Key:

openssl genrsa -out rootCA.key 2048

Self-sign this root certificate:

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3560 -out rootCA.pem

Create a certificate request for the domain you want:

You need the following in your san.cnf file to use in creating the certificate request. Just create the file where you are the certificates.

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
DNS.1 = app.somedomain.co.za

openssl req -out app.somedomain.co.za.csr -newkey rsa:2048 -nodes -keyout app.somedomain.co.za.key -config san.cnf

To verify that the .csr has the SAN in it

openssl req -noout -text -in app.somedomain.co.za.csr | grep DNS

Sign your final domain certificate with your root certificate and makes sure the SAN ends up in the resulting certificate:

openssl x509 -req -in app.somedomain.co.za.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out app.somedomain.co.za.crt -days 3560 -sha256 -extfile san.cnf -extensions req_ext

Verify the result:

openssl x509 -noout -text -in app.somedomain.co.za.crt | grep DNS:

Verify the result once you have uploaded the certificates to your web server:

echo | openssl s_client -connect app.somedomain.co.za:443 | openssl x509 -noout -text | grep DNS:

What is left is to import your root certificate into your browser, and that is another nightmare since it works differently for different versions of chrome and different operating systems. You will have to google and try until it works, but at least you will have a certificate that you know is not at issue.


Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: