wansec

the layer 8 chronicles

Generate a SAN certificate

by · May 17, 2021

Generating an SSL SAN certificate for Linux and Windows

This article will guide you on Generating an SSL SAN certificate for Linux and Windows, which is a type of certificate that allows multiple domain names to be protected by a single certificate. This is useful for websites that have multiple domain names or aliases.

We will be using a configuration file called “certificate.conf” to set up all the necessary information for the certificate. It’s important to note that some browsers, such as Chrome, now require a SAN certificate. Additionally, the maximum lifetime of a certificate is limited to 398 days by Apple standards, which many tech companies have adopted.

It’s worth noting that while the instructions in this article were written for generating certificates on Linux, it can also be done on Windows, or on Windows using the Windows Subsystem for Linux (WSL).

Anatomy a certificate

When it comes to securing a website, there are three important files that are often used: a CSR (Certificate Signing Request), a CER (Certificate), and a KEY file.

  • A CSR (Certificate Signing Request) file is a request that is sent to a certificate authority (CA) to obtain a digital certificate for a website. It contains information about the website and the organization that owns it, such as the domain name, organization name, and contact information.
  • A CER or CRT (Certificate) file is a digital certificate that is issued by a CA in response to a CSR. It contains the public key of a website and information about the organization that owns it. The CER or CRT file is installed on the website’s server and is used to establish a secure connection between the server and the user’s browser.
  • A KEY file is a private key that is generated along with the CSR file. It is used to encrypt and decrypt information that is sent between the website’s server and the user’s browser. The KEY file should be kept private and secure, and should never be shared.

In short, a CSR is a request for a certificate, a CER or CRT is a certificate issued by a CA and a KEY file is a private key that is used to secure the connection between the server and the browser.

Structure of the SSL SAN certificate file

In the configuration file, you will see a section called “[req]” which sets up the basic information for the certificate. The “[req_distinguished_name]” section includes information about your organization, such as the country, state, city, and name of the organization.

The “[v3_req]” section includes the key usage and extended key usage of the certificate. The “[alt_names]” section is where you will list the domain names and aliases that the certificate will protect. This is useful to understand as you are looking to generate an SSL SAN certificate for Linux and Windows. Below is an example of a file you may want to use as a template and customize to your needs.

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = CH
ST = VD
L = Lausanne
O = BoringLab
OU = IT
CN = mycert.boringlab.ch

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = mycert.boringlab.ch
DNS.2 = myalias1.boringlab.ch
DNS.3 = myalias2.boringlab.ch
IP.1 = 10.10.10.10
IP.2 = 192.168.10.10

Generate the SSL SAN certificate request file

To generate the Certificate Signing Request (CSR) file, you will use the “openssl req” command, along with the options for the configuration file, key, and hashing algorithm. It’s important to use a strong hashing algorithm, such as SHA256, and not a weak one like SHA1.

openssl req -new -out mycert.csr -newkey rsa:4096 -nodes -sha256 -keyout mycert.key -config certificate.conf

Once you have the CSR file, you can send it to your internal CA (Certificate Authority) to generate a proper certificate. If you are using a Public CA, you must use internet-enabled domains and you must own the domain to approve it (or have someone from the domain approve it for you).

cat mycert.csr

Convert your SSL SAN certificate to PFX for Windows

Finally, you can convert the certificate to PFX format using the “openssl pkcs12” command, for example to use it on Microsoft Windows. The resulting file will be called “mycert.pfx” and it will include the private key and the certificate.

openssl pkcs12 -export -out mycert.pfx -inkey mycert.key -in mycert.crt
  • mycert.pfx is the expected outcome
  • mycert.key is the certificate private key
  • mycert.crt is the certificate

Conclusion

In conclusion generating an SSL SAN certificate for Linux and Windows is a straightforward process that allows you to protect multiple domain names with a single certificate. By following the steps outlined in this article and using the configuration file and commands provided, you can easily generate a CSR file and then convert it to PFX format.

This will ensure that your website is secure for all of its domain names and aliases, and that it is compliant with the latest browser and industry standards. You may want to see my article on how to Generate an SSL Certificate for Proxmox GUI and consider my article on Certificate error 0x80094001.

Gregory

Gregory

I'm Gregory from Switzerland, and this is a running log of thoughts, findings, and lessons learned over more than 20 years in IT. With a deep passion for networks and security, I focus on architecture, governance, and emerging technologies. My journey has taken me through complex challenges and continuous learning across various sectors. While this space mainly serves as my personal knowledge base, I hope that sharing these notes might also offer insights or inspiration to others navigating the ever-evolving digital landscape.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

40 − = 36