Generate a self-signed SSL certificate with subjectAlternateName extension

without comments

It’s often useful to create self-signed SSL certificates for testing or when you don’t need the authentication that CA signing provides. I started with Akadia’s handy tutorial on self-signing here:

Then I needed to add a list of subjectAlternateName (SAN) fields. This is an x509v3 extension that allows a single certificate to be valid for multiple DNS names. Here’s a shortened version of how to create a self-signed cert using those fields:

echo -e >extensions.cnf “basicConstraints=CA:true\,”

openssl genrsa -out server.key 2048 && openssl req -new -key server.key -out server.csr -subj / && openssl x509 -req -days 3650 -extfile extensions.cnf -in server.csr -signkey server.key -out server.crt

Import server.crt into your list of trusted root certs and install server.crt and server.key in your Apache configuration. Your Apache should now be able to serve trusted SSL for the domains you specified, to your browser or any other one that imports your new certificate as a root.

NOTE: Guard your server.key carefully. Because you have just imported this as a CA cert, an attacker who gained control of your server.key could use it to impersonate any server on the web to you.

Written by spectre

December 30th, 2013 at 12:39 am

Posted in SSL

Leave a Reply