I recently wrote a post about certificate signing – specifically, about how to create and sign a certificate request so that you end up with one certificate signed by another. One thing I did not cover there, was how to include Subject Alternative Names (SAN) data in the signed certificate. To be honest, I did not realize I needed that at first, but it soon became obvious, and figuring out how to do it actually took some work.
In the end I found I had to use a different OpenSSL command for the actual signing step, and to create an extra, separate config file for the SAN data. If you’ve followed steps 1-4 in the original post, you should be fine – just replace step 5 with the following:
Create a config-file with the SAN data
I called this file
extensions.cnf, and it contained the following (with server names anonymized, obviously):
[SAN] subjectAltName="DNS:my-server-name.northeurope.cloudapp.azure.com, DNS:api.my-server-name.northeurope.cloudapp.azure.com, DNS:other-url.northeurope.cloudapp.azure.com"
To be safe, I saved this as an ANSI text file, in the same way as described in the original post. This config file was saved next to the certificate request (
myreq.pem in the previous post). The signed certificate could now be created using:
openssl x509 -req -days 365 -CA certauth/ca.crt -CAkey certauth/ca.key -CAcreateserial -extensions SAN -extfile extensions.cnf -in myreq.pem -out signed-cert.crt
A couple of points here:
x509 -reqis a different command for generating (and signing) the certificate, and replaces
cafrom the original post.
-config certauth.confwhich referred to the config file for the CA is replaced with a couple of simple parameters:
-days 365which specifies the validity period of the cert (1 year),
-CA certauth/ca.crtwhich points to the cert to use for signing, and
-CAkey certauth/ca.keywhich points to it’s corresponding private key.
-extensions SAN -extfile extensions.cnfincludes the
SANsection of the file we created above, while
-outobviously specify the request defining the certificate, and the name of the file to write it to.
Working out how to do this was a little frustrating at times, but also interesting and enlightening once I got it to work. I hope it may save you some time and frustrations!