Wednesday, October 28, 2020

How to create SAN Certificate and its usage

 SAN Stands for Subject alternative name . Where the same certificate with multiple names used for multiple domains . This will save cost .Example we can generate one certificate and add other domain names in the subject Alternative Names can use for multiple sites .

Follow below steps for generation SAN certificate to configure in Apache WebServer .

create san.conf file with the below sample content
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt= no
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = abc.com
DNS.2 = def.com
DNS.3 = fgh.com

Updated san.conf looks like below for multiple common names

This image has an empty alt attribute; its file name is SAN.png
Generate key with csr file using below openssl command
openssl req -out sslcert.csr -newkey rsa:2048 -sha256 -nodes -keyout private.key -config san.conf
This image has an empty alt attribute; its file name is KeyGeneration-1024x118.png
This image has an empty alt attribute; its file name is files.png

once CSR file is generated you can verify the content on the https://www.entrust.net/ssl-technical/csr-viewer.cfm
copy content of sslcert.csr into the above UR or use below
openssl req -noout -text -in sslcert.csr | grep DNS

This image has an empty alt attribute; its file name is csrver1-1024x625.png
This image has an empty alt attribute; its file name is csrver2-1024x615.png

You can verify CSR with openssl

This image has an empty alt attribute; its file name is DNS.png
Once CSR is verified .Get this signed with Third pary vendor line Entrust ,Symatic --etc
Down load the CSR and root , Intermediate certs in PEM format .

for Apache SSL configuration we need 3 files .
Rename given CER to httpd.cer for SSLCertificateFile . private.key to httpd.key . Create SSLCACertificateFile by appending Intermediate with Root.cer files.

cat intermediate.cer >httpd_ca.crt && cat root.cer >>httpd_ca.crt

SSLCertificateFile /web/apache/WEB1A/ssl/httpd.cer
SSLCertificateKeyFile /web/apache/WEB1A/ssl/httpd.key
SSLCACertificateFile /web/apache/WEB1A/ssl/httpd_ca.crt

No comments:

Post a Comment

Featured

Weblogic Domain Migration

 In this blog we will see domain re-configuration which will be done as part of Weblogic migration from lower version to higher version [ Ex...