[solved] How can I create a SAN certificate?



  • As Vivaldi makes it nearly impossible to use self-signed SSL certificates (even if I install that certificate as an administrator, confirm to load the page, randomly content is missing again and again and again) as it's expecting a subjectAltName which is usually not filled when creating a self signed certificate, I finally need some help now!

    I can create a something.csr file which has some more DNS names in it with openssl.
    I can not upload that file to my webhosting provider as his systems expects a *.crt, but not a *.csr file.
    I can not just sign it with openssl as all the DNS entries are GONE in the certificate as soon as I convert the file.

    Now, as Vivaldi extremely hardens my daily business, I need some help:
    How to create this .crt file with multiple valid SAN entries??

    So far, this costed me three frustrating days of work!!



  • okay ... for everyone who has the same problems as me, here is the solution (done on a Linux Mint VM):

    Prerequisite:
    openssl installed

    1. open a text editor and enter this content (replace the sample data):
    prompt = no
    0.organizationName		= Max Mustermann
    organizationalUnitName	= Webmaster
    emailAddress			= email@example.com
    localityName			= Musterstadt
    stateOrProvinceName 	= Bundesland hier
    countryName				= DE
    distinguished_name		= req_distinguished_name
    req_extensions 			= req_ext
    [req_distinguished_name]
    commonName				= www.example.com
    [req_ext]
    basicConstraints 		= CA:FALSE
    keyUsage 				= nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName 			= @alt_names
    [alt_names]
    DNS.1 	= www.example.com
    DNS.2 	= example.com
    DNS.3 	= otherhost.example.com
    (and so on)
    
    1. save the file to openssl_san.conf
    2. open a shell
    3. generate a private key with this command:
      openssl genrsa -des3 -out myprivate.key 2048
    4. generate a certificate request with this command:
      openssl req -new -key myprivate.key -config openssl_san.conf -out mycertificate.csr
    5. sign your certificate with this command:
      openssl x509 -req -in mycertificate.csr -signkey myprivate.key -out mycertificate.crt -days 3650 -extensions req_ext -extfile openssl_san.conf

    (don't forget the -extensions option or your certificate will be signed without SAN hosts!!)

    Now, you can upload your mycertificate.crt to your webhosting provider or where ever you want to use it.

    To avoid a warning for self-signed certificates, you also need to import your certificate to your operating system. For most Windows systems, it's described here: https://www.namecheap.com/support/knowledgebase/article.aspx/9632/69/how-to-import-intermediate-and-root-certificates-via-mmc


  • Moderator

    For those people using a GUI related tool:
    XCA (Win,Linux,Mac) is nice to create certs.


  • Moderator

    @DatLicht said in [solved] How can I create a SAN certificate?:

    As Vivaldi makes it nearly impossible to use self-signed SSL certificates

    Not only Vivaldi. Mozilla, Chromium, Chrome dislikes incorrect certs not respecting the RFCs, too.

    Create them correctly. …
    And you did it. Fine. :clap:



  • @Gwen-Dragon said in [solved] How can I create a SAN certificate?:

    Not only Vivaldi. Mozilla, Chromium, Chrome dislikes incorrect certs not respecting the RFCs, too.

    So far, I used the "click-to-ssl" feature that my webhosting provider installed in Plesk. Fill out a form, click 'submit' and you're done. Normally.

    Also, you can sign certificates with openssl without much hazzle around. Make a private key, walk thru a wizard, and you're done. Usually no big thing.

    I'm wondering about other customers that may not have so much patience and a just simple browser update breaks their site that worked perfectly until then.

    But as you mention Mozilla:
    In Mozilla, you can just say: save my decision as permanent exception and you're done.

    Maybe it's a kinda religious thing, but if I as the computer administrator make a decision, I expect the installed software to accept it. Yes, some things may be uncommon some times, but hey - that's why I am the administrator and nobody else, and I (usually) know what I'm doing. I absolutely hate when software tries to patronize and incapacitate me.

    Btw. thanks for reformatting my entry :)


  • Moderator

    !!! Beware: here are dragons!
    This complete post is my own private opinion !!!

    @DatLicht said in [solved] How can I create a SAN certificate?:

    So far, I used the "click-to-ssl" feature that my webhosting provider installed in Plesk. Fill out a form, click 'submit' and you're done. Normally.

    Them blame your webhoster for their bad certs or creation tools!
    Or get a Let'sEncrypt plugin in Plesk and create your own cert.

    I'm wondering about other customers that may not have so much patience and a just simple browser update breaks their site that worked perfectly until then.

    I heard similar arguments from users many times with MD5/SHA1 or StartSSL signed certs over the years when it "suddenly" broke.

    Sorry, but this change with SAN was communicated by Chromium and Google. … And RFCs.
    And owners/webadmins of a SSL secured website should know what is going on with browsers.
    https://www.chromestatus.com/feature/4981025180483584
    https://tools.ietf.org/html/rfc2818

    But as you mention Mozilla:
    In Mozilla, you can just say: save my decision as permanent exception and you're done.

    Override it as a user and type badidea in internal Vivaldi SSL error page.

    (…) but if I as the computer administrator make a decision,
    (…)
    that's why I am the administrator and nobody else, and I (usually) know what I'm doing.

    But why with all your superuser power did you fail to recognize the change of cert policy in Chromium-like browsers? ;)

    </End of my little rant.>

    PS: I know that my rant could create at least one enemy more.
    I hope you understand my rant.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.