#[1]Tales From The Geek Side RSS Feed

[2]Tales From The Geek Side

   The geeky musings of Greg Rowe.
     * [3]Home
     * [4]Software
     * [5]Masters Project

   << [6]New tcl-dox Released
   [7]Sync Kolab >>

[8]Creating a Certificate With Multiple Hostnames

   January 8th, 2008 by greg

Multiple Names on One Certificate

   While it is not possible without TLS extensions to serve different
   certificates for a single IP (See [9]here on how to setup apache on
   Debian for TLS extensions.) it is possible to have a single certificate
   that works with any number of hostnames. I'm not talking about a
   wildcard certificate but a certificate that allows completely different
   hostnames to be valid for a single certificate. For example www.foo.com
   and www.foo.org can share a certificate. This approach would not be
   appropriate except in certain circumstances. You wouldn't want to have
   two different customers using the same certificate but a single
   customer may wish to use one certificate for all of their domains. Both
   Internet Explorer and Firefox honor certificates of this type. From
   what I read some Java SSL libraries do not handle this type of
   certificate properly but Java was the only exception.

   x509 certificates, those that are served in SSL communications, offer a
   feature known as Subject Altnerative Names. A subject Alternative Name
   is an attribute that lists an alternate name for the subject of the
   certificate (that's oddly fitting isn't it?). In a web context that
   subject is the hostname. However it's not just hostnames that can be an
   alternative subject. Email is an option as is IP addresses.

   The first step is to create a CSR (certificate signing request) that
   contains the subject alternative names that you desire for your
   certificate. I will show how to do that using openssl. You will likely
   need to modify the default openssl.cnf file. In Debian this is located
   in /etc/ssl/openssl.cnf. Note that you may prefer to make modifications
   to a local copy and tell openssl to use your locally modified copy
   using the -config option. For simplicity I will omit -config
   localopenssl.cnf from my examples.

Config File Settings

   You need to tell openssl to create a CSR that includes x509 V3
   extensions and you also need to tell openssl to include a list of
   subject alternative names in your CSR. In my openssl.cnf I have the
   following:

   In the [req] section
[req]
req_extensions = v3_req

   In the v3_req section:
[ v3_req ]

# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# Some CAs do not yet support subjectAltName in CSRs.
# Instead the additional names are form entries on web
# pages where one requests the certificate...
subjectAltName          = @alt_names

[alt_names]
DNS.1   = www.foo.com
DNS.2   = www.foo.org

Generating the CSR

   Then the CSR is generated using:
$ openssl req -new -out $CSR_FILENAME -key $KEY_FILE

   To check to see if you got everything correct use:
$ openssl req -text -noout -in $CSR_FILENAME

   You should see something similar to this:
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:www.foo.com, DNS:www.foo.org

Creating the Certificate

   Now you must have a CA (certificate authority) create a signed
   certificate based on the information provided in your request.
   Unfortunately most CA software will not honor the subject alternative
   names in a CSR by default. In the case of the certificate signing tools
   from Microsoft in Windows 2003 you can tell it to honor subject
   alternative names using the following:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

   For openssl you need to use a policy that allows subject alternative
   names. I believe the policy named policy_anything in the default
   openssl.cnf file will work. To use that policy:
$ openssl ca -policy policy_anything -in $CSR_FILENAME -out $CERT_FILENAME

   Finally to test that your certificate was created correctly use the
   following:
$ openssl x509 -text -noout -in $CERT_FILENAME

   You should see something like this:
 X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:www.foo.org DNS:www.foo.org

   This entry was posted on Tuesday, January 8th, 2008 at 2:01 pm and is
   filed under [10]Geek, [11]Tips. You can follow any responses to this
   entry through the [12]RSS 2.0 feed. You can skip to the end and leave a
   response. Pinging is currently not allowed.

1 response about "Creating a Certificate With Multiple Hostnames"

    1. Easy said:
       [13]June 18th, 2008 at 2:37 am
       For an OpenSSL based CA to include the so desired extensions, it is
       necessary for the openssl.cnf file to have the following option
       enabled:
       # Extension copying option: use with caution.
       copy_extensions = copy
       under the [ CA_default ] section.

Leave a Reply

   You must be [14]logged in to post a comment.
   << [15]New tcl-dox Released
   [16]Sync Kolab >>
   [17]face
     * Categories
          + [18]Geek
               o [19]Code
               o [20]MythTV
               o [21]Software
               o [22]Tips
          + [23]Misc
          + [24]Site
     * Links
          + [25]John's Blog
          + [26]Mark's Blog
          + [27]Rochester Geeks
          + [28]The Rowe Family Blog
     * Meta
          + [29]Register
          + [30]Log in
     * Subscribe
          + [31]Entries (RSS)
          + [32]Comments (RSS)
     *

       ____________________ Search

     * Archives
          + [33]January 2009
          + [34]December 2008
          + [35]September 2008
          + [36]August 2008
          + [37]June 2008
          + [38]March 2008
          + [39]February 2008
          + [40]January 2008
          + [41]December 2007
          + [42]November 2007
          + [43]September 2007
          + [44]August 2007
          + [45]July 2007
          + [46]June 2007
          + [47]April 2007
          + [48]March 2007
          + [49]February 2007
          + [50]January 2007
          + [51]December 2006
          + [52]November 2006
          + [53]October 2006
          + [54]September 2006
          + [55]May 2006
          + [56]April 2006
          + [57]March 2006

     * Recent Posts
          + [58]XBMC and the Shuttle SD11G5
          + [59]Rockbox Rocks
          + [60]Dual Head with Intel i915GM on Linux
          + [61]HTML Composition in Thunderbird
          + [62]Symantec Backup Agent for Linux
          + [63]Extracting Audio From Video
          + [64]Tcl-dox 0.8.2 Available
          + [65]Tcl-dox 0.8.1 Available
          + [66]Sync Kolab
          + [67]Creating a Certificate With Multiple Hostnames
          + [68]New tcl-dox Released
          + [69]SPDIF with VIA M10000 and MythTV
          + [70]Less of a Newb
          + [71]What a newb
          + [72]Debian Volatile
          + [73]ScribeFire
          + [74]WebSVN 2.0
          + [75]Still Impressed with Schedules Direct

   Copyright © 2007 Tales From The Geek Side | All Rights Reserved
   [76]Tales From The Geek Side

Ссылки

   Видимые ссылки
   1. http://therowes.net/~greg/feed/
   2. http://therowes.net/~greg
   3. http://therowes.net/~greg
   4. http://therowes.net/~greg/software/
   5. http://therowes.net/~greg/masters-project/
   6. http://therowes.net/~greg/2008/01/07/new-tcl-dox-released/
   7. http://therowes.net/~greg/2008/01/17/sync-kolab/
   8. http://therowes.net/~greg/2008/01/08/creating-a-certificate-with-multiple-hostnames/
   9. http://www.howtoforge.com/enable-multiple-https-sites-on-one-ip-using-tls-extensions-on-debian-etch
  10. http://therowes.net/~greg/category/geek/
  11. http://therowes.net/~greg/category/geek/tips/
  12. http://therowes.net/~greg/2008/01/08/creating-a-certificate-with-multiple-hostnames/feed/
  13. http://therowes.net/~greg/2008/01/08/creating-a-certificate-with-multiple-hostnames/#comment-101
  14. http://therowes.net/~greg/wp-login.php?redirect_to=http://therowes.net/~greg/2008/01/08/creating-a-certificate-with-multiple-hostnames/
  15. http://therowes.net/~greg/2008/01/07/new-tcl-dox-released/
  16. http://therowes.net/~greg/2008/01/17/sync-kolab/
  17. http://therowes.net/~greg/
  18. http://therowes.net/~greg/category/geek/
  19. http://therowes.net/~greg/category/geek/code/
  20. http://therowes.net/~greg/category/geek/mythtv/
  21. http://therowes.net/~greg/category/geek/software/
  22. http://therowes.net/~greg/category/geek/tips/
  23. http://therowes.net/~greg/category/misc/
  24. http://therowes.net/~greg/category/site/
  25. http://www.rmdashrf.org/~john/blog/
  26. http://www.valites.net/
  27. http://www.rochester-geeks.org/
  28. http://www.therowes.net/
  29. http://therowes.net/~greg/wp-login.php?action=register
  30. http://therowes.net/~greg/wp-login.php
  31. feed:http://therowes.net/~greg/feed/
  32. feed:http://therowes.net/~greg/comments/feed/
  33. http://therowes.net/~greg/2009/01/
  34. http://therowes.net/~greg/2008/12/
  35. http://therowes.net/~greg/2008/09/
  36. http://therowes.net/~greg/2008/08/
  37. http://therowes.net/~greg/2008/06/
  38. http://therowes.net/~greg/2008/03/
  39. http://therowes.net/~greg/2008/02/
  40. http://therowes.net/~greg/2008/01/
  41. http://therowes.net/~greg/2007/12/
  42. http://therowes.net/~greg/2007/11/
  43. http://therowes.net/~greg/2007/09/
  44. http://therowes.net/~greg/2007/08/
  45. http://therowes.net/~greg/2007/07/
  46. http://therowes.net/~greg/2007/06/
  47. http://therowes.net/~greg/2007/04/
  48. http://therowes.net/~greg/2007/03/
  49. http://therowes.net/~greg/2007/02/
  50. http://therowes.net/~greg/2007/01/
  51. http://therowes.net/~greg/2006/12/
  52. http://therowes.net/~greg/2006/11/
  53. http://therowes.net/~greg/2006/10/
  54. http://therowes.net/~greg/2006/09/
  55. http://therowes.net/~greg/2006/05/
  56. http://therowes.net/~greg/2006/04/
  57. http://therowes.net/~greg/2006/03/
  58. http://therowes.net/~greg/2009/01/22/xbmc-and-the-shuttle-sd11g5/
  59. http://therowes.net/~greg/2008/12/04/rockbox-rocks/
  60. http://therowes.net/~greg/2008/09/25/dual-head-with-intel-i915gm-on-linux/
  61. http://therowes.net/~greg/2008/08/11/html-composition-in-thunderbird/
  62. http://therowes.net/~greg/2008/06/23/symantec-backup-agent-for-linux/
  63. http://therowes.net/~greg/2008/06/20/extracting-audio-from-video/
  64. http://therowes.net/~greg/2008/03/03/tcl-dox-082-available/
  65. http://therowes.net/~greg/2008/02/29/tcl-dox-081-available/
  66. http://therowes.net/~greg/2008/01/17/sync-kolab/
  67. http://therowes.net/~greg/2008/01/08/creating-a-certificate-with-multiple-hostnames/
  68. http://therowes.net/~greg/2008/01/07/new-tcl-dox-released/
  69. http://therowes.net/~greg/2008/01/01/spdif-with-via-m10000-and-mythtv/
  70. http://therowes.net/~greg/2007/12/30/less-of-a-newb/
  71. http://therowes.net/~greg/2007/12/13/what-a-newb/
  72. http://therowes.net/~greg/2007/11/25/debian-volatile/
  73. http://therowes.net/~greg/2007/11/15/scribefire/
  74. http://therowes.net/~greg/2007/09/11/websvn-20/
  75. http://therowes.net/~greg/2007/09/11/still-impressed-with-schedules-direct/
  76. http://therowes.net/~greg/

   Скрытых ссылок:
  77. http://therowes.net/~greg