How to generate a self-signed SAN SSL/TLS certificate using openssl

openssl-self-signed-san-certificate.md

How to generate a self-signed SAN SSL/TLS certificate using openssl

Generating a self-signed certificate is a common task and the command to generate one with openssl is well known and well documented. Generating a certificate that includes subjectAltName is not so straght forward however. The following example demonstrates how to generate a SAN certificate without making a permanent change to the openssl configuration.

Generate a list of all required DNS names, (Note: CN will be discarded).

$ export SAN="DNS:www.domain.localdomain,DNS:domain.localdomain"

Generate a configuration with the addition of the san extension.

NOTE: On OSX [EL Capitan] the openssl configuration file path is: /System/Library/OpenSSL/openssl.cnf instead of the RHEL/CentOS default of /etc/pki/tls/openssl.cnf.

$ cat \
	/etc/pki/tls/openssl.cnf \
	- \
	<<-CONFIG > /tmp/www.domain.localdomain.cnf

[ san ]
subjectAltName="${SAN:[email protected]}"
CONFIG

Generate the certificate using the additional parameters -config, -reqext, and -extensions:

$ openssl req \
	-x509 \
	-sha256 \
	-nodes \
	-newkey rsa:2048 \
	-days 365 \
	-reqexts san \
	-extensions san \
	-subj "/CN=www.domain.localdomain" \
	-config /tmp/www.domain.localdomain.cnf \
	-keyout /etc/pki/tls/private/www.domain.localdomain.crt \
	-out /etc/pki/tls/certs/www.domain.localdomain.crt

Generate a new Diffie-Hellman Group

Warning! this takes a while...

$ openssl dhparam \
	-out /tmp/dhparams.pem \
	2048

Append the DH PARAMS to the certificate.

$ cat /tmp/dhparams.pem \
	>> /etc/pki/tls/certs/www.domain.localdomain.crt

Thanks for the gist.
I think there is a typo in the command, you mentioned

-keyout /etc/pki/tls/private/www.domain.localdomain.crt \
	-out /etc/pki/tls/certs/www.domain.localdomain.crt

while it should be

-keyout /etc/pki/tls/private/www.domain.localdomain.key \
	-out /etc/pki/tls/certs/www.domain.localdomain.crt

Thanks for the gist.
I think there is a typo in the command, you mentioned

-keyout /etc/pki/tls/private/www.domain.localdomain.crt \
	-out /etc/pki/tls/certs/www.domain.localdomain.crt

while it should be

-keyout /etc/pki/tls/private/www.domain.localdomain.key \
	-out /etc/pki/tls/certs/www.domain.localdomain.crt

The file extension doesn’t matter it outputs a PEM file regardless of what extension you use. It’s just an example and you can use whatever file names or paths you like.

I dont think you got me. You are using the same filename and extension for the key and certificate which would result in one file getting overwritten. So while the command is supposed to yield a key and a certificate (2 files) it generates only one.

On Fri, 14 May 2021 at 8:38 PM James Deathe ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Thanks for the gist. I think there is a typo in the command, you mentioned -keyout /etc/pki/tls/private/www.domain.localdomain.crt \ -out /etc/pki/tls/certs/www.domain.localdomain.crt while it should be -keyout /etc/pki/tls/private/www.domain.localdomain.key \ -out /etc/pki/tls/certs/www.domain.localdomain.crt The file extension doesn’t matter it outputs a PEM file regardless of what extension you use. It’s just an example and you can sue whatever file names or paths you like. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://gist.github.com/4c08460eb0bac99da32748bcbda39333#gistcomment-3743098>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACKL3QW4ERYVVNIHXVSNFDTNVU3ZANCNFSM4443SBMA> .

-- Sent from Gmail Mobile

I dont think you got me. You are using the same filename and extension for the key and certificate which would result in one file getting overwritten. So while the command is supposed to yield a key and a certificate (2 files) it generates only one.
On Fri, 14 May 2021 at 8:38 PM James Deathe @.> wrote: @.* commented on this gist. ------------------------------ Thanks for the gist. I think there is a typo in the command, you mentioned -keyout /etc/pki/tls/private/www.domain.localdomain.crt \ -out /etc/pki/tls/certs/www.domain.localdomain.crt while it should be -keyout /etc/pki/tls/private/www.domain.localdomain.key \ -out /etc/pki/tls/certs/www.domain.localdomain.crt The file extension doesn’t matter it outputs a PEM file regardless of what extension you use. It’s just an example and you can sue whatever file names or paths you like. — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://gist.github.com/4c08460eb0bac99da32748bcbda39333#gistcomment-3743098, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACKL3QW4ERYVVNIHXVSNFDTNVU3ZANCNFSM4443SBMA .
-- Sent from Gmail Mobile

If you look again, you will see the paths are not the same; the output will be 2 files in 2 different directories. If you did change paths to match openssl would still generate a valid combined pem file containing both the certificate, private key to which you append the DH PARAMS. HAProxy requires a single pem file so using the same output path for key and certificate saves you having to concatenate later.

Thank you for the clarification. On Sat, 15 May 2021 at 1:42 PM, James Deathe ***@***.***> wrote:

***@***.**** commented on this gist. ------------------------------ I dont think you got me. You are using the same filename and extension for the key and certificate which would result in one file getting overwritten. So while the command is supposed to yield a key and a certificate (2 files) it generates only one. On Fri, 14 May 2021 at 8:38 PM James Deathe *@*.*> wrote: @.** commented on this gist. ------------------------------ Thanks for the gist. I think there is a typo in the command, you mentioned -keyout /etc/pki/tls/private/ www.domain.localdomain.crt \ -out /etc/pki/tls/certs/ www.domain.localdomain.crt while it should be -keyout /etc/pki/tls/private/www.domain.localdomain.key \ -out /etc/pki/tls/certs/ www.domain.localdomain.crt The file extension doesn’t matter it outputs a PEM file regardless of what extension you use. It’s just an example and you can sue whatever file names or paths you like. — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://gist.github.com/4c08460eb0bac99da32748bcbda39333#gistcomment-3743098, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACKL3QW4ERYVVNIHXVSNFDTNVU3ZANCNFSM4443SBMA . -- Sent from Gmail Mobile If you look again, you will see the paths are not the same; the output will be 2 files in 2 different directories. If you did change paths to match openssl would still generate a valid combined pem file containing both the certificate, private key to which you append the DH PARAMS. HAProxy requires a single pem file so using the same output path for key and certificate saves you having to concatenate later. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://gist.github.com/4c08460eb0bac99da32748bcbda39333#gistcomment-3743625>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACKL3QG6S2HDKS26RO6OBTTNZM35ANCNFSM4443SBMA> .

-- Sent from Gmail Mobile