adam.nz aboutpostsprojectscontact
The Easy Way To Generate OpenSSL CSRs with subjectAltNames

The Easy Way To Generate OpenSSL CSRs with subjectAltNames by Adam Shand

Run your own Linux server and want to use SSL to keep some services encrypted? Tired of having to generate a certificate for every hostname which you want to run an encrypted service on (imap, smtp, www etc)? Well you can use subjectAltNames to include valid multiple hostnames in a single certificate, the catch has been that the syntax for doing this with OpenSSL has been "a little obscure".

Well thanks to CAcert and their free certificate signing service and a simple shell script there is now a simple way to do this:

Create a CAcert account and claim your domain via their web forms. Next step is to download the csr.sh script and then do something like this:

# csr.sh 
Private Key and Certificate Signing Request Generator
This script was designed to suit the request format needed by
the CAcert Certificate Authority. www.CAcert.org

Short Hostname (ie. imap big_srv www2): ronin
FQDN/CommonName (ie. www.example.com) : ronin.spack.org
Type SubjectAltNames for the certificate, one per line. 
Enter a blank line to finish
SubjectAltName: DNS:imap.spack.org
SubjectAltName: DNS:smtp.spack.org
SubjectAltName: DNS:www.spack.org
SubjectAltName: DNS:
Running OpenSSL...
Generating a 2048 bit RSA private key.............................+++......+++
writing new private key to '/Users/shand/ronin_privatekey.pem'
-----
Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
When you receive your certificate, you 'should' name it something like ronin_server.pem
-----BEGIN CERTIFICATE REQUEST-----    
MIICqjCCAZICAQAwGjEYMBYGA1UEAxMPcm9uaW4uc3BhY2sub3JnMIIBIjANBgkq    
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwBvirTUOag7MvPWoZT7qS+N7HJhOR9Ne    
... [snip] ...    
3sjbBQs5ERNgiWBEkjbIRszmfV/uD1UN8NDyhLWQlTjT5tWgEiJ9DUTXXKgrgkX/    
zpwgNHtXZ8BMnxTk7T8=
-----END CERTIFICATE REQUEST-----
The Certificate request is also available in /Users/shand/ronin_csr.pem
The Private Key is stored in /Users/adam/ronin_privatekey.pem

Now all you have to do is upload the CSR to CAcert, download the freshly generated new server key and you're all set! Yahoo!

I've just installed a new server using this, and it's working great with Postfix and Dovecot.

tutorial posted on 16 Aug 2007 in #nerding & #teaching

Copyheart 1994–2024 Adam Shand. Sharing is an act of love.