In this article, we will generate SAN certificates CSR using the OpenSSL utility. SAN stands for “Subject Alternative Names” and this certificate has multiple CNs (Common Names) within a single Certificate.
SAN Certificate helps us to have a common certificate for multiple CNs. Thus you can use it for more than one web server.
You may include DNS entries as well as IP Addresses in the certificate to avoid certificate warning messages in the latest web browsers.
You may refer to the Microsoft Bing certificate, it is a SAN Certificate and includes multiple Common Names.
How to generate CSR with SAN
You need a server where the OpenSSL is installed. Login to the server, and just follow the below procedure to generate the SAN Certificate.
1. Navigate to /tmp directory
[root@firewallbuddy]# cd /tmp
2. Create a san.cnf file using touch
[root@firewallbuddy tmp]# touch san.cnf
3. Edit the file using vi or nano editor
[root@firewallbuddy tmp]# nano san.cnf
Now, edit the file as per your requirements.
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext prompt=no [ req_distinguished_name ] countryName = Country Name (2-letter code, i.e, IN) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN or YOUR name) [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = iptrainer.net DNS.2 = iptrainer.com DNS.3 = iptrainer.info IP.1 = 198.54.116.242 IP.2 = 1.1.1.1
You may have noticed, we have used DNS and IP Addresses in the alt_names field. You can edit this field as per your requirements.
Now, you need to run the below command to generate the CSR.
[root@firewallbuddy tmp]# openssl req -out server.iptrainer.csr -newkey rsa:2048 -nodes -keyout server.iptrainer.key -config san.cnf
Once you execute this command, you will get the below output in CLI:
Generating a 2048 bit RSA private key ..................................+++ ........................+++ writing new private key to 'server.iptrainer.key' -----
The above command will generate the server.iptrainer.csr and server.iptrainer.key in the current working directory, i.e., /tmp. You need to provide the server.iptrainer.csr file to the Certificate Authority so they can sign it and provide it back to you.
Verify the content of CSR using OpenSSL
It is also important to verify the content of the CSR before providing it to the CA (Certificate Authority). You may execute the below command to verify the content of a CSR:
[root@firewallbuddy tmp]# openssl req -text -noout -verify -in server.iptrainer.csr
or
[root@firewallbuddy tmp]# openssl req -text -noout -verify -in server.iptrainer.csr | egrep 'DNS|IP'
You will get all of the DNS and IP Addresses you have configured in the SAN Certificate CSR
verify OK DNS:iptrainer.net, DNS:iptrainer.com, DNS:iptrainer.info, IP Address:198.54.116.242, IP Address:1.1.1.1
That’s it! We have successfully generated the SAN Certificate CSR using OpenSSL. You can install the certificate once you receive the Certificate from the CA (Certificate Authority).
Related Articles
- Cisco ASA Configuration Backup using SCP, TFTP, and ASDM
- Automated backup from Palo Alto Networks Firewall without Panorama
- How to add Palo Alto Networks Firewall into Panorama
- Configure Cisco ASA Firewall for ASDM Access
- Cisco ASA: Security Levels and Zones Explained
Summary
SAN certificate has multiple Common Name, so it is easy to use with your different Web Servers. Even, you can define the IP addresses in the SAN Certificate and browse your web server without getting a certificate warning page in the latest web browsers. OpenSSL is an open-source utility, that helps us to generate SSL certificates.
Hope you like this article. In case you like this article, request you to please share it on different platforms! In case you get into error, just comment in the comment box!