The Easy Way To Generate OpenSSL CSRs with subjectAltNames
Run your own Linux server and want to use SSL to keep some services encrypted? Tired of having to generate a certificate for every hostname which you want to run an encrypted service on (imap, smtp, www etc)? Well you can use subjectAltNames to include valid multiple hostnames in a single certificate, the catch has been that the syntax for doing this with OpenSSL has been "a little obscure".
Create a CAcert account and claim your domain via their web forms. Next step is to download the csr.sh script and then do something like this:
Private Key and Certificate Signing Request Generator
This script was designed to suit the request format needed by
the CAcert Certificate Authority. www.CAcert.org
Short Hostname (ie. imap big_srv www2): ronin
FQDN/CommonName (ie. www.example.com) : ronin.spack.org
Type SubjectAltNames for the certificate, one per line.
Enter a blank line to finish
Generating a 2048 bit RSA private key.............................+++......+++
writing new private key to '/Users/shand/ronin_privatekey.pem'
Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
When you receive your certificate, you 'should' name it something like ronin_server.pem
-----BEGIN CERTIFICATE REQUEST-----
... [snip] ...
-----END CERTIFICATE REQUEST-----
The Certificate request is also available in /Users/shand/ronin_csr.pem
The Private Key is stored in /Users/adam/ronin_privatekey.pem
Now all you have to do is upload the CSR to CAcert, download the freshly generated new server key and you're all set! Yahoo!
I've just installed a new server using this, and it's working great with Postfix and Dovecot.