Here's how I generate SSL keys for a webserver.
In particular I want name-based vhosts with SSL - this can only be done with multiple DNS names in the certificate...
Most of my openssl setup has been guided by:
http://www.phildev.net/ssl/opensslconf.xhtml
http://www.phildev.net/ssl/creating_ca.xhtml
http://www.phildev.net/ssl/managing_ca.xhtml
with a little info from here:
http://wiki.cacert.org/wiki/VhostTaskForce#A1.Way.3ASubjectAltNameOnly
step 1.... get openssl.cnf as you want it
step 2.... add multiple dns names as required
[alt_names]
DNS.1 = example.net
DNS.2 = www.example.net
DNS.3 = example.com
DNS.4 = www.example.com
DNS.5 = mms.example.com
DNS.6 = fancy.example.org
step 3.... generate key:
openssl genrsa -out example.net.key.pem 4096
step 4.... generate cert
openssl req -config ./openssl.cnf -new -key example.net.key.pem -out example.net.req.pem
use one of the names as the CN..
usually I'd say use the DNS A record as the CN (i.e. if example.net -> a specific IP, and that IP's PTR is example.net)... and then put all the C-names in as DNS (as well as the A-rec) (i.e. the DNS aliases, www.example.net = example.net)
step 5.... transfer the req to the CA and sign it
openssl ca -out certs/example.net.cert.pem -days 1461 -keyfile private/theCA.key.pem -extensions v3_ca_has_san -config ./openssl.cnf -infiles requests/example.net.req.pem
how does it end up?
One CN:
Subject: C=AU, ST=Victoria, O=example, OU=example dot net, CN=example.net/emailAddress=security@example.net
Multiple DNS's
X509v3 Subject Alternative Name:
DNS:example.net, DNS:www.example.net[...]
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment