Generating a CSR for multiple domain names

Posted on August 31, 2012 by Adrian

When generating a Certificate Signing Request (or CSR) for an SSL certificate, there is usually only a single hostname required – what is know as the ‘Common Name’, composed of Host + Domain name, e.g. “www.example.com” or “example.com”.

However, if you have multiple hostnames resolving to the same web space (e.g. www.example.co.uk as an alias of www.example.com), and you want them all to be secured by the same SSL certificate, you need to use a multi-domain SSL certificate, which will also cover any additional domains that you specify.

To request a multi-domain SSL certificate, you need to generate a CSR request which includes these addition names – which are officially known as “Subject Alternative Names” (also referred to as ‘SANs’). Some control panels may offer GUI-based methods to generate CSRs with additional names, but if these are not available to you, it is possible to use OpenSSL commands to generate the CSR on the command line.

First, logon/sudo to root and make a backup of the OpenSSL configuration, as we will be making changes to it and want to have a copy to roll-back to in the event of any problems.

cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl-ORIG

Next open openssl.cnf for editing using your preferred text edition, e.g. vim in this example:

vim /etc/pki/tls/openssl.cnf

Look for the [ req ] section and, if not already present, add the following directive:

req_extensions = v3_req

Then look for the [ v3_req ] and add the addition names. A single name can be added like this:

subjectAltName = DNS:www.example.co.uk

For multiple names, you can add a new line for each name, or put them on a single line, as shown below:

subjectAltName = DNS:www.example.co.uk, DNS:www.example.org

These are the only essential changes required, but it’s worth changing default_bits value to 2048 as well, otherwise encryption defaults to 1024 bit.

Save the changes and then generate a CSR using the normal OpenSSL commands, e.g. -

openssl req -new -out example-com.csr -key example-com.key

Answer the usual CSR questions when prompted, and then confirm the correct information has been saved using the following command:

openssl req -text -noout -in example-com.csr

As well as the primary Common Name, you should also see the additional names listed too, e.g. -

Requested Extensions:
X509v3 Subject Alternative Name:
DNS:www.example.co.uk, DNS:www.example.org

If the information is all correct, and all required additional names are included, you can then use this CSR to order your multidomain SSL certificate.

You should also restore the original copy of openssl.cnf, to prevent the additional names being added to any future CSRs generated:

rm -f /etc/pki/tls/openssl.cnf
cp /etc/pki/tls/openssl-ORIG /etc/pki/tls/openssl

Note: All file paths and commands included are based on a default Red Hat / CentOS build.

Post to Digg Digg This Post Post to Reddit Post to Reddit Post to StumbleUpon Stumble This Post Post to Technorati Post to Technorati

This entry was posted in Managed Hosting. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>