A few years back I set up my certificate so that it had a CN of ressukka.net and subjAltName of *.ressukka.net. Recently I had to do it again and it took me quite a while to find the correct configuration. This is how it's done.

I'm assuming that the private key is already generated so I'm just focusing on the actual certificate. First, we need to create a generic configuration file. The file is generic and aims to be flexible, not efficient:

[ req ]
distinguished_name      = req_distinguished_name
req_extensions          = v3_req

[ v3_req ]
subjectAltName          = $ENV::SUBJALTNAME

[ req_distinguished_name ]
commonName          = Common Name (eg, YOUR name)
commonName_max          = 64
emailAddress            = Email Address
emailAddress_max        = 64

Assuming this configuration is stored as /tmp/openssl.cnf the following will generate the certificate:

SUBJALTNAME='DNS:*.example.com,DNS:*.example.net' openssl req \
  -config /tmp/openssl.cnf \
  -subj '/CN=host.example.com/[email protected]' \
  -new -days 365 -extensions v3_req -key private-key.pem

Generating self signed certificate is a matter of adding -x509 to the command.

In the end, it's not complicated if you have proper instructions, but currently there doesn't appear to be any simple and straightforward instructions. So hopefully this helps someone.

Comments on this page are closed.