The Easy Way To Generate OpenSSL CSRs with subjectAltNames
Run your own Linux server and want to use SSL to keep some services encrypted? Tired of having to generate a certificate for every hostname which you want to run an encrypted service on (imap, smtp, www etc)? Well you can use subjectAltNames to include valid multiple hostnames in a single certificate, the catch has been that the syntax for doing this with OpenSSL has been "a little obscure".
Well thanks to CAcert and their free certificate signing service and a simple shell script there is now a simple way to do this:
Create a CAcert account and claim your domain via their web forms. Next step is to download the csr.sh script and then do something like this:
# csr.sh
Private Key and Certificate Signing Request Generator
This script was designed to suit the request format needed by
the CAcert Certificate Authority. www.CAcert.org
Short Hostname (ie. imap big_srv www2): ronin
FQDN/CommonName (ie. www.example.com) : ronin.spack.org
Type SubjectAltNames for the certificate, one per line.
Enter a blank line to finish
SubjectAltName: DNS:imap.spack.org
SubjectAltName: DNS:smtp.spack.org
SubjectAltName: DNS:www.spack.org
SubjectAltName: DNS:
Running OpenSSL...
Generating a 2048 bit RSA private key.............................+++......+++
writing new private key to '/Users/shand/ronin_privatekey.pem'
-----
Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
When you receive your certificate, you 'should' name it something like ronin_server.pem
-----BEGIN CERTIFICATE REQUEST-----
MIICqjCCAZICAQAwGjEYMBYGA1UEAxMPcm9uaW4uc3BhY2sub3JnMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwBvirTUOag7MvPWoZT7qS+N7HJhOR9Ne
... [snip] ...
3sjbBQs5ERNgiWBEkjbIRszmfV/uD1UN8NDyhLWQlTjT5tWgEiJ9DUTXXKgrgkX/
zpwgNHtXZ8BMnxTk7T8=
-----END CERTIFICATE REQUEST-----
The Certificate request is also available in /Users/shand/ronin_csr.pem
The Private Key is stored in /Users/adam/ronin_privatekey.pem
Now all you have to do is upload the CSR to CAcert, download the freshly generated new server key and you're all set! Yahoo!
I've just installed a new server using this, and it's working great with Postfix and Dovecot.