[solved] How can I create a SAN certificate?
-
As Vivaldi makes it nearly impossible to use self-signed SSL certificates (even if I install that certificate as an administrator, confirm to load the page, randomly content is missing again and again and again) as it's expecting a subjectAltName which is usually not filled when creating a self signed certificate, I finally need some help now!
I can create a something.csr file which has some more DNS names in it with openssl.
I can not upload that file to my webhosting provider as his systems expects a *.crt, but not a *.csr file.
I can not just sign it with openssl as all the DNS entries are GONE in the certificate as soon as I convert the file.Now, as Vivaldi extremely hardens my daily business, I need some help:
How to create this .crt file with multiple valid SAN entries??So far, this costed me three frustrating days of work!!
-
okay ... for everyone who has the same problems as me, here is the solution (done on a Linux Mint VM):
Prerequisite:
openssl installed- open a text editor and enter this content (replace the sample data):
prompt = no 0.organizationName = Max Mustermann organizationalUnitName = Webmaster emailAddress = [email protected] localityName = Musterstadt stateOrProvinceName = Bundesland hier countryName = DE distinguished_name = req_distinguished_name req_extensions = req_ext [req_distinguished_name] commonName = www.example.com [req_ext] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = www.example.com DNS.2 = example.com DNS.3 = otherhost.example.com (and so on)
- save the file to openssl_san.conf
- open a shell
- generate a private key with this command:
openssl genrsa -des3 -out myprivate.key 2048
- generate a certificate request with this command:
openssl req -new -key myprivate.key -config openssl_san.conf -out mycertificate.csr
- sign your certificate with this command:
openssl x509 -req -in mycertificate.csr -signkey myprivate.key -out mycertificate.crt -days 3650 -extensions req_ext -extfile openssl_san.conf
(don't forget the -extensions option or your certificate will be signed without SAN hosts!!)
Now, you can upload your mycertificate.crt to your webhosting provider or where ever you want to use it.
To avoid a warning for self-signed certificates, you also need to import your certificate to your operating system. For most Windows systems, it's described here: https://www.namecheap.com/support/knowledgebase/article.aspx/9632/69/how-to-import-intermediate-and-root-certificates-via-mmc
-
@Gwen-Dragon said in [solved] How can I create a SAN certificate?:
Not only Vivaldi. Mozilla, Chromium, Chrome dislikes incorrect certs not respecting the RFCs, too.
So far, I used the "click-to-ssl" feature that my webhosting provider installed in Plesk. Fill out a form, click 'submit' and you're done. Normally.
Also, you can sign certificates with openssl without much hazzle around. Make a private key, walk thru a wizard, and you're done. Usually no big thing.
I'm wondering about other customers that may not have so much patience and a just simple browser update breaks their site that worked perfectly until then.
But as you mention Mozilla:
In Mozilla, you can just say: save my decision as permanent exception and you're done.Maybe it's a kinda religious thing, but if I as the computer administrator make a decision, I expect the installed software to accept it. Yes, some things may be uncommon some times, but hey - that's why I am the administrator and nobody else, and I (usually) know what I'm doing. I absolutely hate when software tries to patronize and incapacitate me.
Btw. thanks for reformatting my entry