Table of Contents
In this tutorial we will learn about SAN certificates and steps to generate CSR for SAN certificates.
What are SAN (Subject Alternative name) Certificates
- SAN is an acronym for Subject Alternative Name
- These certificates generally cost a little bit more than single-name certs, because they have more capabilities.
- When you request a SAN certificate, you have the option of defining multiple DNS names that the certificate can protect.
- Once issued, the SAN certificate will contain a primary DNS name, which is typically the main name of the website, and, further inside the cert properties, you will find listed the additional DNS names that you specified during your request.
- This single certificate can be installed on a web server and used to validate traffic for any of the DNS names that are contained in the certificate.
- For example have a look at the certificate of
facebook.com. It is using a Subject Alternative Name with multiple DNS defined in the certificate so it avoids creating multiple certificate for each sub domain.
Generate Private Key
First of all we need a private key. Now I could have combined the steps to generate private key and CSR for SAN but let's keep it simple. I have not assigned any passphrase to the private key, you can also use -des3 encryption algorithm to add a passphrase to your private key
# openssl genrsa -out priv.key 4096 Generating RSA private key, 4096 bit long modulus (2 primes) .......................................................++++ .................++++ e is 65537 (0x010001)
Generate CSR for SAN Certificate
We will not use the complete /etc/pki/tls/openssl.cnf instead we will create our own custom ssl configuration file with required parameters only.
To generate CSR for SAN we need distinguished_name and req_extensions
I have also added the value for individual distinguished_name parameters in this configuration file to avoid user prompt. If you are not familiar with these parameters then I suggest you to read beginners guide to understand all certificate related terminologies used with openssl and openssl configuration file
# cat server_cert.cnf [req] distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [req_distinguished_name] C = IN ST = Karnataka L = Bengaluru O = GoLinuxCloud OU = R&D CN = ban21.example.com [req_ext] subjectAltName = @alt_names [alt_names] IP.1 = 10.10.10.13 IP.2 = 10.10.10.14 IP.3 = 10.10.10.17 DNS.1 = centos8-2.example.com DNS.2 = centos8-3.example.com
If you prefer to manually enter the CSR details such as Country, State, Common Name etc then you can use this configuration file
[req] [req] distinguished_name = req_distinguished_name req_extensions = req_ext [req_distinguished_name] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your name or your server\'s hostname) emailAddress = Email Address [req_ext] subjectAltName = @alt_names [alt_names] IP.1 = 10.10.10.13 IP.2 = 10.10.10.14 IP.3 = 10.10.10.17 DNS.1 = centos8-2.example.com DNS.2 = centos8-3.example.com
Next we will use
openssl to generate our Certificate Signing Request for SAN certificate.
# openssl req -new -key priv.key -out ban21.csr -config server_cert.cnf
Since we have used
prompt=no and have also provided the CSR information, there is no output for this command but our CSR is generated
# ls -l ban21.csr -rw-r--r-- 1 root root 1842 Aug 10 15:55 ban21.csr
Verify Subject Alternative Name value in CSR
Next verify the content of your Certificate Signing Request to make sure it contains Subject Alternative Name section under "Requested Extensions"
# openssl req -noout -text -in ban21.csr | grep -A 1 "Subject Alternative Name"
So our CSR contains all the IP Address and DNS value which we provided while generating the CSR for SAN.
Now since you have your Certificate Signing Request, you can send it to Certificate Authority to generate SAN certificates. If this was created for intranet then you can also create your own CA certificate or CA certificate chain and use these CA to sign and generate your server certificates
- Create your own Certificate Authority and generate a certificate signed by your CA
- Create SAN Certificate to protect multiple DNS, CN and IP Addresses of the server in a single certificate
In this tutorial I gave you an overview on SAN certificates, and the steps to create Certificate Signing Request for SAN certificates using openssl in Linux. SAN certificates have gained alot of popularity with major domains across world choose for this option as this saves money because it avoids creating individual certificates for respective domains.
Lastly I hope the steps from the article to generate csr for SAN on Linux using openssl was helpful. So, let me know your suggestions and feedback using the comment section.