Create self signed certificates with Subject Alternative Names

By admin | December 4, 2021 |

Create self signed certificates with Subject Alternative Names

This video explains how to create a self signed certificate with Subject Alternative Names (SAN).

A certificate with Subject Alternative Names is a single certificate supporting multiple Common Names (CN), for example:
– mobilefish.com
– sand.mobilefish.com
– baidu.com
– china.com

This means this single certificate can be used in multiple URLs:
– https://mobilefish.com
– https://sand.mobilefish.com
– https://baidu.com
– https://china.com

Chrome browsers will issue a warning if your SSL certificate does not specify Subject Alternative Names.

This video assumes that you have installed OpenSSL.
More information how to install and use OpenSSL:https://www.openssl.org

To check if your system has OpenSSL installed, type: openssl version -a

The procedure to create self signed certificates with Subject Alternative names is also documented at:
https://www.mobilefish.com/developer/apache/apache_quickguide_install_macos_sierra.html

Warning: Never use self signed certificates in production environments.
It is okay to use it in development or testing environments.

1. Create a 2048 bit Certificate Authority (CA) private key:
sudo openssl genrsa -out privkey.pem 2048

The CA private key is created: privkey.pem

2. Create a self signed CA certificate:
sudo openssl req -new -x509 -days 3650 -nodes -key privkey.pem -sha256 -out ca.pem

3. Create a 2048 bit Certificate Authority (CA) certificate:
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noord-Holland
Locality Name (eg, city) []:Zaandam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mobilefish.com CA

The CA certificate is created: ca.pem

4. Create a server configuration file (server.csr.cnf). Example:
https://www.mobilefish.com/download/openssl/sand.mobilefish.csr.cnf.txt
Download and modify the server configuration file according to your situation.

[dn]
C=NL
ST=Zaandam
L=Noord-Holland
O=End Point
OU=Research and development
emailAddress=rd@mobilefish.com
CN = sand.mobilefish.com

5. Create a server Certificate Signing Request (CSR) and server private key.
sudo openssl req -new -nodes -out server.csr -keyout server.key -config server.csr.cnf

The server CSR is created: server.csr
The server private key is created: server.key

6. Create a server extension file (server_v3.ext). Example:
https://www.mobilefish.com/download/openssl/sand.mobilefish_v3.ext.txt

Modify the server extension file according to your situation.

Add Subject Alternative Names:
[alt_names]
DNS.1 = sand.mobilefish.com
DNS.2 = proxy.mobilefish.com

In the sever configuration file (server.csr.cnf) I have used “CN = sand.mobilefish.com”.
This common name must be mentioned as one of the Subject Alternative Names.

7. Create the server certificate:
sudo openssl x509 -req -in server.csr -CA ca.pem -CAkey privkey.pem -CAcreateserial -out server.crt -days 3650 -extfile server_v3.ext 

The server certificate is created: server.crt
The serial number file is created: ca.srl

Each issued certificate must contain a unique serial number assigned by the CA.
It must be unique for each certificate given by a given CA.
OpenSSL keeps the used serial numbers on a file.

The server certificate (server.crt) and server private key (server.key) are the two files you need to install on your server (Apache web server, proxy server).
Always keep the private keys secure:
– CA private key (privkey.pem)
– Server private key (server.key)

Recap
We have created our own Certificate Authority (root certificate).
But this CA is not trusted by our system.
Next our CA has created a certificate with SAN.
Trusted CA’s such as Comodo and GoDaddy are trusted because their root certificates are already imported in our system.

In YouTube video “Geth supporting SSL using reverse proxy server” I will be using this self signed certificate to setup a reverse proxy server accessible by:
https://proxy.mobilefish.com.

Check out all my other Ethereum related tutorial videos:
https://goo.gl/eNJVXe

Subscribe to my YouTube channel:
https://goo.gl/61NFzK

The presentation used in this video tutorial can be found at:
http://www.mobilefish.com/developer/blockchain/blockchain_quickguide_ethereum_related_tutorials.html

#mobilefish #howto #ethereum

Posted in Domain Names

18 Comments

  1. Donna Gamis on December 4, 2021 at 12:35 pm

    Hi you mentioned to install server.key and the certificate can you explain how to install the server.key? Thanks.



  2. Jonathan Martins on December 4, 2021 at 12:39 pm

    I spend 4 hours trying to make this work.
    Your video help me do it! Thank you very much!



  3. David Harrison on December 4, 2021 at 12:41 pm

    May I ask a question. In my development environment I have multiple http servers, openvpn servers, vcenter and esx servers etc, and I remove or change of add new ones regularly.

    They are all in the same domain eg. *.domain.com.

    I can;t see how adding all the names into the subjectalternatenames field would be practical as they change, would having only "domain.com" in the subjectalternatename be sufficient to cover all the hosts?



  4. Rohit Shetty on December 4, 2021 at 12:41 pm

    Simple and effective tutorial…Thanks!!!



  5. abdul waheed on December 4, 2021 at 12:42 pm

    WOW, You are brilliant, taught a difficult subject in a very easy manner. Really liked it… Thank you SIR!



  6. Sc_ Pac_ on December 4, 2021 at 12:42 pm

    Thank u veryyyy much



  7. Carlos Benitez on December 4, 2021 at 12:45 pm

    Works for me! Just one cuestion, if I want to put the server.crt and server.key in one file, for example server_bundle.pem. Is going to work?



  8. Junaid Ahmed on December 4, 2021 at 12:46 pm

    Hi, I need to generate a client certificate also, can you please advise how this can be incorporated ?



  9. Lubrifiax on December 4, 2021 at 12:48 pm

    Thanks man, you managed to simply explain me in 5 min what 99% of the topics on the net can’t in 3 months!



  10. Neomeister on December 4, 2021 at 12:51 pm

    My man! I didn’t follow your instructions to the letter as I had already completed most of these steps but adding the "subjectAltName = @alt_names" pointer to the server extension is what I was missing. Thank you.



  11. Shweta Manjrekar on December 4, 2021 at 1:01 pm

    can anyone tell me, why the main URL or subject URL is needed to be mentioned in the DNS list?



  12. Gabriel Bong on December 4, 2021 at 1:06 pm

    Hi Sir
    I have queries to seek your advice after following all the steps very closely on a Windows 10 environment:

    Q1.) When I enter this command: sudo openssl x509 -req -in server.csr -CA ca.pem -CAkey privkey.pem -CAcreateserial -out server.crt -days 3650 -extfile server_v3.ext

    I don’t have the generated ca.srl file

    Please kindly advise on this if I missed out any step



  13. arun kumar on December 4, 2021 at 1:16 pm

    Am getting an error like below while issuing User Certificate using openSSL
    Like: Windows
    I am unable to access to the C:ssldemoca Invalid argument



  14. Robert de Bath on December 4, 2021 at 1:18 pm

    You should be importing the CA certificate into your trusted store. Then every certificate signed by that CA will be trusted by your computer. (Your file ca.pem)



  15. Make it look like an accident on December 4, 2021 at 1:18 pm

    Great tutorial – very comprehensive, also provides a good insight as to how OpenSSL features are organised around enterprise concerns.
    Thanks!



  16. Sanooj M on December 4, 2021 at 1:19 pm

    Hi,
    I hv followed your instructions and created the certificate in my ubuntu machine, But I’m getting an exception "caused by Received fatal alert: handshake_failure" in my java code while making an HttpsUrlConnection. Can u help me ?
    Thanks



  17. RedHat Fan on December 4, 2021 at 1:19 pm

    Excellent Instructional video. Thank you for taking the time to explain in detail how this works.



  18. Aleksandr A. N on December 4, 2021 at 1:22 pm

    thank you)