The Easy Way To Generate OpenSSL CSRs with subjectAltNames

Run your own Linux server and want to use SSL to keep some services encrypted? Tired of having to generate a certificate for every hostname which you want to run an encrypted service on (imap, smtp, www etc)? Well you can use subjectAltNames to include valid multiple hostnames in a single certificate, the catch has been that the syntax for doing this with OpenSSL has been “a little obscure”.

Well thanks to CAcert and their free certificate signing service and a simple shell script there is now a simple way to do this:

Create a CAcert account and claim your domain via their web forms. Next step is to download the csr.sh script and then do something like this:

overkill(shand)$ csr.sh 
Private Key and Certificate Signing Request Generator
This script was designed to suit the request format needed by
the CAcert Certificate Authority. www.CAcert.org
    
Short Hostname (ie. imap big_srv www2): ronin
FQDN/CommonName (ie. www.example.com) : ronin.spack.org
Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
SubjectAltName: DNS:imap.spack.org
SubjectAltName: DNS:smtp.spack.org
SubjectAltName: DNS:www.spack.org
SubjectAltName: DNS:
Running OpenSSL...
Generating a 2048 bit RSA private key
...........................................................................................+++
......+++
writing new private key to '/Users/shand/ronin_privatekey.pem'
-----
Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
When you receive your certificate, you 'should' name it something like ronin_server.pem
    
    -----BEGIN CERTIFICATE REQUEST-----
    MIICqjCCAZICAQAwGjEYMBYGA1UEAxMPcm9uaW4uc3BhY2sub3JnMIIBIjANBgkq
    hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwBvirTUOag7MvPWoZT7qS+N7HJhOR9Ne
    ... [snip] ...
    3sjbBQs5ERNgiWBEkjbIRszmfV/uD1UN8NDyhLWQlTjT5tWgEiJ9DUTXXKgrgkX/
    zpwgNHtXZ8BMnxTk7T8=
    -----END CERTIFICATE REQUEST-----
    
The Certificate request is also available in /Users/shand/ronin_csr.pem
The Private Key is stored in /Users/adam/ronin_privatekey.pem

Now all you have to do is upload the CSR to CAcert, download the freshly generated new server key and you're all set! Yahoo!

I've just installed a new server using this and it's working great with Postfix and Dovecot.


2014 by adam shand. sharing is an act of love, please share.