For information about creating SSL SAN certificates and CSRs using the Configuration utility or tmsh in 11.1.x and later, refer to the following article:
Subject Alternative Name (SAN) certificates or Unified Communication (UCC) certificates allow control of the subject alternative name field to secure multiple domains through the use of a single certificate. This type of certificate is similar to a wildcard certificate; however, it allows you to specify multiple alternative domains instead of a single domain, as in a wildcard certificate.
Creating a self-signed SAN/UCC certificate or certificate request
Note: You may want to check with your Certificate Authority (CA) to see if tools are available to make this process easier. While you can perform this process from the command line using OpenSSL, there are quite a few steps involved. Creating multiple certificates using this method may be time consuming.
- Log in to the command line.
- Change directories to the /var/tmp directory.For example:cd /var/tmp
- Create a directory to store a modified openssl.cnf file, in addition to the SSL key(s), certificate(s), and certificate request(s).For example:mkdir mySSL
- Copy the default openssl.cnf file to the newly-created directory, which will be used to create a custom openssl.cnffile for creating SAN/UCC certificates and requests.For BIG-IP 10.1.0 and later, the openssl.cnf file is located at /etc/pki/tls/openssl.cnf.
For example:cp /etc/pki/tls/openssl.cnf /var/tmp/mySSL/myssl.cnf
For BIG-IP 10.0.1 and earlier, the openssl.cnf file is located at /usr/share/ssl/openssl.cnf.
For example:cp /usr/share/ssl/openssl.cnf /var/tmp/mySSL/myssl.cnf
- Edit the custom openssl.cnf file (/var/tmp/mySSL/myssl.cnf) and add the following information to the end of the file: [ req_ext ]
subjectAltName = @alt_names[ alt_names ]
DNS.1 = <FQDN>
DNS.2 = <host.domain1>
DNS.3 = <host.domain2>
DNS.4 = <host.domain3>
…
DNS.x = <host.domainx>For example: [ req_ext ]
subjectAltName = @alt_names[ alt_names ]
DNS.1 = www.example.com
DNS.2 = test.example.com
DNS.3 = mail.example.com
DNS.4 = www.example.netImportant: Specify the primary Fully Qualified Domain Name (FQDN) within the alt_names section. Although the primary FQDN will be requested during the certificate request phase, RFC2818 states the following:
“If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.”
- Save the changes made to the custom openssl.cnf file (/var/tmp/mySSL/myssl.cnf) in Step 5.
- Generate a certificate request that contains the alternate names specified in Step 5 by typing the following command:openssl req -new -nodes -newkey rsa:<key size in bytes> -config <custom config file> -reqexts req_ext -keyout <FQDN>.key -out <FQDN>.csrFor example:# openssl req -new -nodes -newkey rsa:1024 -config /var/tmp/mySSL/myssl.cnf -reqexts req_ext -keyout /var/tmp/mySSL/www.example.com.key -out /var/tmp/mySSL/www.example.com.csr
Generating a 1024 bit RSA private key
……………………………………++++++
.++++++
writing new private key to ‘www.example.com.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Washington
Locality Name (eg, city) []:Seattle
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example
Organizational Unit Name (eg, section) []:Engineering
Common Name (eg, YOUR name) []:www.example.com
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:root
An optional company name []: - Verify the information in the certificate request before sending the request to the CA by typing the following command:openssl req -noout -text -in <name of certificate request file>For example:# openssl req -noout -text -in /var/tmp/mySSL/www.example.com.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Washington, L=Seattle, O=Example, OU=Engineering, CN=www.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b9:ab:08:c2:96:d2:6e:20:68:21:92:ef:7c:82:
f1:03:bd:77:cb:59:88:e8:5c:a4:8c:d7:3a:e8:9e:
03:1c:0b:6c:5e:97:ac:df:74:e7:38:12:a9:1b:cb:
73:f1:6c:5c:a2:20:cf:dd:fd:8a:e7:18:6e:93:ef:
e6:d7:c8:60:42:d7:a3:28:10:08:87:40:af:3b:88:
af:49:93:1c:b0:bc:9d:dc:8d:12:f3:2d:58:c3:1c:
bd:c3:a3:99:44:e7:c7:49:06:46:3c:21:f8:f2:9f:
b5:0c:df:c8:a8:e8:bf:d2:3d:ba:7d:99:fe:71:ac:
81:3e:02:78:43:73:04:4a:79
Exponent: 65537 (0x10001)
Attributes:
challengePassword :root
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:test.example.com, DNS:mail.example.com, DNS:www.example.net
Signature Algorithm: md5WithRSAEncryption
2b:56:22:33:22:b2:0d:53:3a:b0:70:32:0d:a0:23:e1:7d:33:
ba:93:3d:87:ec:7d:eb:b2:8f:f7:99:f3:0a:a2:ad:ce:1b:01:
d2:f6:68:82:ec:5d:88:69:8c:93:03:eb:57:9d:e6:ee:4d:4b:
b0:9e:bc:46:08:c0:37:98:ce:86:cb:06:ed:d6:f5:2a:e2:49:
13:7a:bb:06:1e:c4:44:11:50:74:d1:81:a0:ea:4a:8a:47:84:
21:33:52:12:54:b1:59:08:20:e1:aa:9e:78:bb:97:24:eb:9e:
f0:6c:a5:07:95:f5:92:33:d7:74:7f:2e:eb:73:b2:b9:c4:43:
b6:84Within the example command output, locate the following Requested Extensions section. This section lists the alternative names associated with the certificate: Requested Extensions:
X509v3 Subject Alternative Name:
DNS:www.example.com, DNS:test.example.com, DNS:mail.example.com, DNS:www.example.net - Submit the certificate request to your CA.
- Optional: Create a self-signed certificate from a SAN/UCC Certificate request.To use the certificate request to create a self-signed certificate for testing purposes, type the following command:openssl x509 -req -in <certificat request> -extfile myssl.cnf -extensions req_ext -signkey <ssl key> -days <number of days> -out <certificate name>
For example:# openssl x509 -req -in /var/tmp/mySSL/www.example.com.csr -extfile /var/tmp/mySSL/myssl.cnf -extensions req_ext -signkey /var/tmp/mySSL/www.example.com.key -days 730 -out /var/tmp/mySSL/www.example.com.crt
Signature ok
subject=/C=US/ST=Washington/L=Seattle/O=Example/OU=Engineering/CN=www.example.com
Getting Private keyYou can then view the contents of the certificate by typing the following command:openssl x509 -in <certificate name> -noout -text
For example:# openssl x509 -in /var/tmp/mySSL/www.example.com.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
bc:18:92:13:77:a1:09:5f
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Washington, L=Seattle, O=Example, OU=Engineering, CN=www.example.com
Validity
Not Before: Apr 20 19:36:33 2010 GMT
Not After : Apr 19 19:36:33 2012 GMT
Subject: C=US, ST=Washington, L=Seattle, O=F5 Networks, OU=Engineering, CN=www.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b9:ab:08:c2:96:d2:6e:20:68:21:92:ef:7c:82:
f1:03:bd:77:cb:59:88:e8:5c:a4:8c:d7:3a:e8:9e:
03:1c:0b:6c:5e:97:ac:df:74:e7:38:12:a9:1b:cb:
73:f1:6c:5c:a2:20:cf:dd:fd:8a:e7:18:6e:93:ef:
e6:d7:c8:60:42:d7:a3:28:10:08:87:40:af:3b:88:
af:49:93:1c:b0:bc:9d:dc:8d:12:f3:2d:58:c3:1c:
bd:c3:a3:99:44:e7:c7:49:06:46:3c:21:f8:f2:9f:
b5:0c:df:c8:a8:e8:bf:d2:3d:ba:7d:99:fe:71:ac:
81:3e:02:78:43:73:04:4a:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:www.example.com, DNS:test.example.com, DNS:mail.example.com, DNS:www.example.net
Signature Algorithm: md5WithRSAEncryption
7b:7f:eb:de:4e:93:b1:8b:11:bc:8b:98:fc:28:e6:4a:bd:ba:
56:1c:3b:97:17:14:c3:b2:af:8d:2f:29:a0:f6:5c:fd:28:5b:
54:e6:33:91:81:a6:9f:fe:56:18:12:f4:0f:4f:12:e9:d5:67:
42:06:c7:b2:9f:28:0d:29:6d:a4:35:b1:1c:22:3a:be:e5:74:
eb:5d:9e:64:90:21:0b:c6:06:46:46:d4:4f:a0:ea:15:ba:f8:
0b:a5:34:2d:6e:a4:56:46:81:05:0c:b9:ea:29:14:d8:72:8b:
05:19:15:9e:96:6f:8f:d4:3b:d5:c2:5d:23:a1:fe:29:b1:3e:
32:d2