Creating SSL SAN certificates and CSRs using OpenSSL

Sep 13, 2013 | Linux

For information about creating SSL SAN certificates and CSRs using the Configuration utility or tmsh in 11.1.x and later, refer to the following article:

Subject Alternative Name (SAN) certificates or Unified Communication (UCC) certificates allow control of the subject alternative name field to secure multiple domains through the use of a single certificate. This type of certificate is similar to a wildcard certificate; however, it allows you to specify multiple alternative domains instead of a single domain, as in a wildcard certificate.

Creating a self-signed SAN/UCC certificate or certificate request

Note: You may want to check with your Certificate Authority (CA) to see if tools are available to make this process easier. While you can perform this process from the command line using OpenSSL, there are quite a few steps involved. Creating multiple certificates using this method may be time consuming.

  1. Log in to the command line.
  2. Change directories to the /var/tmp directory.For example:cd /var/tmp
  3. Create a directory to store a modified openssl.cnf file, in addition to the SSL key(s), certificate(s), and certificate request(s).For example:mkdir mySSL
  4. Copy the default openssl.cnf file to the newly-created directory, which will be used to create a custom openssl.cnffile for creating SAN/UCC certificates and requests.For BIG-IP 10.1.0 and later, the openssl.cnf file is located at /etc/pki/tls/openssl.cnf.

    For example:cp /etc/pki/tls/openssl.cnf  /var/tmp/mySSL/myssl.cnf

    For BIG-IP 10.0.1 and earlier, the openssl.cnf file is located at /usr/share/ssl/openssl.cnf.

    For example:cp /usr/share/ssl/openssl.cnf /var/tmp/mySSL/myssl.cnf

  5. Edit the custom openssl.cnf file (/var/tmp/mySSL/myssl.cnf) and add the following information to the end of the file:   [ req_ext ]
    subjectAltName    = @alt_names[ alt_names ]
    DNS.1    = <FQDN>
    DNS.2    = <host.domain1>
    DNS.3    = <host.domain2>
    DNS.4    = <host.domain3>

    DNS.x    = <host.domainx>

    For example:  [ req_ext ]
    subjectAltName    = @alt_names

    [ alt_names ]
    DNS.1    = www.example.com
    DNS.2    = test.example.com
    DNS.3    = mail.example.com
    DNS.4    = www.example.net

    Important: Specify the primary Fully Qualified Domain Name (FQDN) within the alt_names section. Although the primary FQDN will be requested during the certificate request phase, RFC2818 states the following:

    “If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.”

  6. Save the changes made to the custom openssl.cnf file (/var/tmp/mySSL/myssl.cnf) in Step 5.
  7. Generate a certificate request that contains the alternate names specified in Step 5 by typing the following command:openssl req -new -nodes -newkey rsa:<key size in bytes> -config <custom config file> -reqexts req_ext -keyout <FQDN>.key -out <FQDN>.csrFor example:# openssl req -new -nodes -newkey rsa:1024 -config /var/tmp/mySSL/myssl.cnf -reqexts req_ext -keyout /var/tmp/mySSL/www.example.com.key -out /var/tmp/mySSL/www.example.com.csr
    Generating a 1024 bit RSA private key
    ……………………………………++++++
    .++++++
    writing new private key to ‘www.example.com.key’
    —–
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Washington
    Locality Name (eg, city) []:Seattle
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example
    Organizational Unit Name (eg, section) []:Engineering
    Common Name (eg, YOUR name) []:www.example.com
    Email Address []:
    Please enter the following ‘extra’ attributes
    to be sent with your certificate request
    A challenge password []:root
    An optional company name []:
  8. Verify the information in the certificate request before sending the request to the CA by typing the following command:openssl req -noout -text -in <name of certificate request file>For example:# openssl req -noout -text -in /var/tmp/mySSL/www.example.com.csr
    Certificate Request:
    Data:
    Version: 0 (0x0)
    Subject: C=US, ST=Washington, L=Seattle, O=Example, OU=Engineering, CN=www.example.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
    Modulus (1024 bit):
    00:b9:ab:08:c2:96:d2:6e:20:68:21:92:ef:7c:82:
    f1:03:bd:77:cb:59:88:e8:5c:a4:8c:d7:3a:e8:9e:
    03:1c:0b:6c:5e:97:ac:df:74:e7:38:12:a9:1b:cb:
    73:f1:6c:5c:a2:20:cf:dd:fd:8a:e7:18:6e:93:ef:
    e6:d7:c8:60:42:d7:a3:28:10:08:87:40:af:3b:88:
    af:49:93:1c:b0:bc:9d:dc:8d:12:f3:2d:58:c3:1c:
    bd:c3:a3:99:44:e7:c7:49:06:46:3c:21:f8:f2:9f:
    b5:0c:df:c8:a8:e8:bf:d2:3d:ba:7d:99:fe:71:ac:
    81:3e:02:78:43:73:04:4a:79
    Exponent: 65537 (0x10001)
    Attributes:
    challengePassword        :root
    Requested Extensions:
    X509v3 Subject Alternative Name:
    DNS:test.example.com, DNS:mail.example.com, DNS:www.example.net
    Signature Algorithm: md5WithRSAEncryption
    2b:56:22:33:22:b2:0d:53:3a:b0:70:32:0d:a0:23:e1:7d:33:
    ba:93:3d:87:ec:7d:eb:b2:8f:f7:99:f3:0a:a2:ad:ce:1b:01:
    d2:f6:68:82:ec:5d:88:69:8c:93:03:eb:57:9d:e6:ee:4d:4b:
    b0:9e:bc:46:08:c0:37:98:ce:86:cb:06:ed:d6:f5:2a:e2:49:
    13:7a:bb:06:1e:c4:44:11:50:74:d1:81:a0:ea:4a:8a:47:84:
    21:33:52:12:54:b1:59:08:20:e1:aa:9e:78:bb:97:24:eb:9e:
    f0:6c:a5:07:95:f5:92:33:d7:74:7f:2e:eb:73:b2:b9:c4:43:
    b6:84

    Within the example command output, locate the following Requested Extensions section. This section lists the alternative names associated with the certificate:    Requested Extensions:
    X509v3 Subject Alternative Name:
    DNS:www.example.com, DNS:test.example.com, DNS:mail.example.com, DNS:www.example.net

  9. Submit the certificate request to your CA.
  10. Optional: Create a self-signed certificate from a SAN/UCC Certificate request.To use the certificate request to create a self-signed certificate for testing purposes, type the following command:openssl x509 -req -in <certificat request> -extfile myssl.cnf -extensions req_ext -signkey <ssl key> -days <number of days> -out <certificate name>

    For example:# openssl x509 -req -in /var/tmp/mySSL/www.example.com.csr -extfile /var/tmp/mySSL/myssl.cnf -extensions req_ext -signkey /var/tmp/mySSL/www.example.com.key -days 730 -out /var/tmp/mySSL/www.example.com.crt
    Signature ok
    subject=/C=US/ST=Washington/L=Seattle/O=Example/OU=Engineering/CN=www.example.com
    Getting Private key

    You can then view the contents of the certificate by typing the following command:openssl x509 -in <certificate name> -noout -text

    For example:# openssl x509 -in /var/tmp/mySSL/www.example.com.crt -noout -text
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    bc:18:92:13:77:a1:09:5f
    Signature Algorithm: md5WithRSAEncryption
    Issuer: C=US, ST=Washington, L=Seattle, O=Example, OU=Engineering, CN=www.example.com
    Validity
    Not Before: Apr 20 19:36:33 2010 GMT
    Not After : Apr 19 19:36:33 2012 GMT
    Subject: C=US, ST=Washington, L=Seattle, O=F5 Networks, OU=Engineering, CN=www.example.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
    Modulus (1024 bit):
    00:b9:ab:08:c2:96:d2:6e:20:68:21:92:ef:7c:82:
    f1:03:bd:77:cb:59:88:e8:5c:a4:8c:d7:3a:e8:9e:
    03:1c:0b:6c:5e:97:ac:df:74:e7:38:12:a9:1b:cb:
    73:f1:6c:5c:a2:20:cf:dd:fd:8a:e7:18:6e:93:ef:
    e6:d7:c8:60:42:d7:a3:28:10:08:87:40:af:3b:88:
    af:49:93:1c:b0:bc:9d:dc:8d:12:f3:2d:58:c3:1c:
    bd:c3:a3:99:44:e7:c7:49:06:46:3c:21:f8:f2:9f:
    b5:0c:df:c8:a8:e8:bf:d2:3d:ba:7d:99:fe:71:ac:
    81:3e:02:78:43:73:04:4a:79
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Subject Alternative Name:
    DNS:www.example.com, DNS:test.example.com, DNS:mail.example.com, DNS:www.example.net
    Signature Algorithm: md5WithRSAEncryption
    7b:7f:eb:de:4e:93:b1:8b:11:bc:8b:98:fc:28:e6:4a:bd:ba:
    56:1c:3b:97:17:14:c3:b2:af:8d:2f:29:a0:f6:5c:fd:28:5b:
    54:e6:33:91:81:a6:9f:fe:56:18:12:f4:0f:4f:12:e9:d5:67:
    42:06:c7:b2:9f:28:0d:29:6d:a4:35:b1:1c:22:3a:be:e5:74:
    eb:5d:9e:64:90:21:0b:c6:06:46:46:d4:4f:a0:ea:15:ba:f8:
    0b:a5:34:2d:6e:a4:56:46:81:05:0c:b9:ea:29:14:d8:72:8b:
    05:19:15:9e:96:6f:8f:d4:3b:d5:c2:5d:23:a1:fe:29:b1:3e:
    32:d2

READY FOR A CHANGE?

If you're ready to change the way your small business feels about technology, then we'd love to hear from you.