SAN certificates (or as Microsoft and others have taken to calling them, Unified Communications Certificates) are rapidly becoming a popular option for securing multiple domains. In fact, Exchange 2007, OCS 2007, and several other products now require UCC to function. However, this certificate type can proffer some advantages beyond that of a wildcard certificate as well. One such advantage is the ability to secure “domain.com”, “www.domain.com”, “domain.net”, and “someotherdomain.com” all within a single certificate.
SAN CSRs cannot be generated using the interactive prompt in OpenSSL so we’ll need to make a conf:
[ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name req_extensions = req_ext # The extentions to add to the self signed cert [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Illinois localityName = Locality Name (eg, city) localityName_default = Chicago organizationName = Organization Name (eg, company) organizationName_default = Example, Co. commonName = Common Name (eg, YOUR name) commonName_max = 64 [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = test.domain.com DNS.2 = other.domain.com DNS.3 = www.domain.net |
You will need to set your alt_names section to the FQDNs you wish to use. If you need more simply add “DNS.4 = whatever.com” and so on. Once you have done that, save the file as “req.conf” and then execute openssl!
openssl req -new -nodes -out myreq.csr -config req.conf |
Generating a 1024 bit RSA private key ............................................................++++++ ..++++++ writing new private key to 'privkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:US State or Province Name (full name) [Illinois]:Illinois Locality Name (eg, city) [Chicago]:Chicago Organization Name (eg, company) [Example, Co.]:Example, Co. Common Name (eg, YOUR name) []:www.domain.com |
You now have a “myreq.csr” and a “privkey.pem” associated with the CSR. You can now submit this CSR to a CA for signing or sign it with your own self-signed CA. A tutorial to perform the latter will be published in a few days!
Do CAs accept such CSRs for a certificate that sign multiple domains?
Sounds like it should be more expensive than a regular one-domain cert.
CAs that support UCC definitely charge more for that privilege. Additionally, commercial CAs will — in general — just drop all SAN extensions present in the CSR and require the user to input them through a web interface. This example is more for testing or academic purposes than anything else.
I try and outline the benefits of UCC or Subject Alt Name SSL to all my clients, so I might point them to the opening paragraph of this blog which is a great summary. Particularly when customers are often registered with various geographically based domains or subsidiaries now.
This article answered 95% of what I have questions on. I am going to search your site to see if you already have an answer for the remaining 5% of my questions.
Good stuff man!!!!
(And in regards to being more expensive than a single domain, yes if all you are doing is securing one or two domains, then just buy individual domains, but if you are securing many domains, then the Multi-Domain (UCC) is the way to go, saves on SSL costs and IP address fees that likely exist for your hosting environment.
I have access to a Geotrust reseller portal, and it does indeed recognize SAN’s in the CSR, but it does also offer the option of typing them in manually.
I should clarify.
I have access to a Geotrust reseller portal, and the “True BusinessID” SSL certificate does indeed recognize SAN’s in the CSR, but it does also offer the option of typing them in manually.
This article really helped me setup ssl on media temple’s grid service. Thanks so much.
[...] the best you can do is a UCC cert that lists all of the hostnames individually. Here are instructions on generating a CSR from openssl to do this (since the standard prompts will not ask for the subjectAltName field). So you could create a [...]
[...] create a CSR for one via the OpenSSL CLI, this was a bit harder. So following the instructions from this page, I generated my own OpenSSL configuration settings, and exported the [...]
[...] tutorial here: http://langui.sh/2009/02/27/creating-a-subjectaltname-sanucc-csr/ Bookmark on Delicious Digg this post Recommend on Facebook share via Reddit Share with Stumblers [...]