Subject Alternate Name Certificate

  1. Создаем файл с конфигом, чтобы не париться:
    cert_config.cnf
    [ req ]
    default_bits		= 4096
    default_keyfile		= server.key
    distinguished_name	= subject
    req_extensions		= v3_req
    x509_extensions		= extensions
    string_mask		= utf8only
     
    [ subject ]
    countryName		= Country Name (2 letter code)
    countryName_default	= RU
     
    stateOrProvinceName	= State or Province Name (full name)
    stateOrProvinceName_default = Moscow reg.
     
    localityName		= Locality Name (eg, city)
    localityName_default	= Khimki
     
    organizationName	= Organization Name (eg, company)
    organizationName_default = Chroot org.
     
    commonName		= Common Name (e.g. server FQDN or YOUR name)
    commonName_default	= Example, LLC
     
    emailAddress		= Email Address
    emailAddress_default	= adm@chroot.ru
     
    [ extensions ]
     
    subjectKeyIdentifier	= hash
    authorityKeyIdentifier	= keyid,issuer
    basicConstraints	= CA:FALSE
    keyUsage		= nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage	= serverAuth
    subjectAltName		= @alternate_names
    nsComment		= "OpenSSL Generated Certificate"
     
    [ v3_req ]
    subjectKeyIdentifier	= hash
    basicConstraints	= CA:FALSE
    keyUsage		= nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage	= serverAuth
    subjectAltName		= @alternate_names
     
    [ alternate_names ]
     
    DNS.1	= chroot.ru
    DNS.2	= www.chroot.ru
    DNS.3	= mail.chroot.ru
    DNS.4	= wiki.chroot.ru

  2. Делаем CSR или самоподписной серт следующей командой:
    1. CSR: (старый ключ example-com.key лежит рядом)

      openssl req -config cert_config.cnf -new -key example-com.key -out example-com.csr

    2. Серт:

      openssl req -config cert_config.cnf -new -x509 -newkey rsa:4096 -nodes \
              -keyout example-com.key -days 1100 -out example-com.crt

  3. Проверяем серт или CSR:

    openssl x509 -in example-com.crt -text -noout
    openssl req -in example-com.csr -text -noout

Еще одна подобная инструкция лежит тут: http://apetec.com/support/generatesan-csr.htm

security_lab/create_subj_alt_name_cert.txt · Last modified: 2017/07/27 00:41 by rybario
About this template
CC Attribution-Share Alike 4.0 International
Powered by PHP Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 Valid HTML5