Categories
SecOps

How to create a multi-domain SSL certificate without common name

Create a multi-domain SSL certificate without a common name.

I will use a self-signed certificate as it is enough to show how it works.

Describe certificate. Use DNS option to define a DNS name and IP option do define an IP address.

$ cat <<EOF | tee certificate.cfg
[ req ]
req_extensions     = req_ext
distinguished_name = req_distinguished_name
prompt             = no
[req_distinguished_name]
commonName=example.org
[req_ext]
subjectAltName   = @alt_names
[alt_names]
DNS.1  = example.org
DNS.2  = *.example.org
EOF

Generate certificate.

$ openssl req -x509 -config certificate.cfg -extensions req_ext -nodes -days 360 -newkey rsa:2048 -sha256 -keyout certificate.key -out certificate.crt -new -subj "/"
Generating a RSA private key
..................................+++++
..+++++
writing new private key to 'certificate.key'
-----

Display certificate.

$ openssl x509 -in certificate.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            62:82:78:28:e9:5e:11:a4:d2:c4:3f:92:de:a8:f6:38:7e:ab:75:93
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: 
        Validity
            Not Before: Feb 24 23:28:43 2021 GMT
            Not After : Feb 19 23:28:43 2022 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:dc:94:a2:4c:42:1e:7d:59:c2:84:ae:06:e1:67:
                    c2:c0:0e:ed:b0:0a:fb:a9:b2:c1:fa:96:88:7f:6e:
                    e8:b3:96:e5:c2:f3:bd:99:39:8c:c5:0c:35:b6:76:
                    a4:ad:6d:73:0c:ca:f1:e2:17:d0:0c:83:20:4d:35:
                    44:40:e6:5e:60:20:fc:37:8b:c1:a2:a5:b8:34:91:
                    e9:a0:b4:1d:de:1c:20:99:ca:3c:76:62:25:02:0f:
                    75:4b:98:c8:f7:1b:3f:5a:f8:8b:d9:a0:5f:c8:fc:
                    ab:6e:97:99:50:14:aa:8b:b4:ea:32:a4:bd:f3:3a:
                    57:73:4b:6f:4c:cd:03:57:45:17:77:5b:92:9e:dc:
                    29:a3:0e:c0:28:3f:7d:ca:e8:2f:8d:58:4a:cf:14:
                    2b:ba:92:2f:6b:8d:b5:89:a7:c7:c5:49:fe:14:3f:
                    26:eb:6e:81:1a:a1:84:1e:25:a3:66:0f:7b:db:51:
                    35:09:bd:79:7e:06:60:73:0c:90:20:44:d2:0c:18:
                    5a:d5:05:f6:cc:34:d5:22:ad:e4:b6:3c:e9:7b:b9:
                    b3:29:e9:84:30:b2:a8:5a:57:08:c6:6c:12:bc:97:
                    f4:1a:1a:5b:cf:3f:75:4c:56:ec:06:b0:15:95:00:
                    d3:00:17:9f:89:03:bc:ee:8e:ed:00:6c:cc:5c:4a:
                    37:f9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:example.org, DNS:*.example.org
    Signature Algorithm: sha256WithRSAEncryption
         d4:55:b8:d1:e9:6b:95:86:9c:6b:91:46:77:e4:db:85:c4:7c:
         a4:31:d6:ea:5e:45:ab:b5:08:6b:79:6c:59:02:de:6f:0c:d0:
         44:52:75:d0:18:e8:22:23:e3:3b:8f:db:e2:34:9a:a1:84:d8:
         31:7f:4b:d1:d1:82:3c:b2:aa:1b:05:12:97:54:39:ed:c1:1b:
         4f:54:61:76:8e:3f:f3:bf:4b:4d:86:8b:7a:d0:ff:ca:59:a7:
         47:51:37:68:9a:1b:cc:e3:5c:d6:3a:8a:fc:ac:61:fd:b9:0b:
         09:43:d7:37:16:86:52:de:a5:f4:94:9b:1a:89:6b:7b:12:a4:
         9c:36:25:96:73:68:4d:a0:f5:2d:a6:0b:a8:9e:d7:21:b7:88:
         39:da:d1:d1:d8:9a:e5:0f:32:93:45:dd:35:46:bb:37:ee:5f:
         2b:8d:d4:d4:03:b9:fe:ea:6d:40:47:a3:a3:b2:7d:cf:d7:27:
         30:6c:a2:c2:50:4c:84:12:c7:e1:54:bc:6b:f8:cc:0f:20:86:
         69:2d:f5:6c:64:f3:69:98:e1:ed:fd:70:c3:b0:ec:ea:89:65:
         88:be:7b:98:fe:f1:2c:a4:76:3d:90:1f:46:3b:fe:2f:57:4d:
         ca:c7:b0:e9:bb:a0:c9:42:e0:be:7b:d7:5f:8b:58:20:9b:96:
         5e:08:32:62