Enabling SSL for Name Based Vhosts: subjectAltName



Create a OpenSSL request

If you want to know more about openssl commands, look here.

You can configure openssl to use environment variables.

  • At the top of openssl.cnf under where it set’s HOME=“…” I added
  • I enabled v3_req
req_extensions = v3_req
  • and in [ v3_req ] I added:
  • So if you run openssl like this (I include the CN in the SANs):
export SAN="DNS:www.example.com, DNS:www1.example.org, DNS:www2.example.org" \
openssl req \
  -new -newkey rsa:2048 -nodes \
  -subj "/CN=www.example.com/O=ssystems/L=Berlin/ST=Berlin/C=DE" \
  -keyout mykey.pem -out myreq.pem

It will fill in subjectAltName with the contents of the SAN variable, otherwise will fill it with the contents specified at the top of the file (email:noc@example.com).

If you create a request from now on you always have to export at least the CN as SAN:

export SAN CN
openssl req \
  -new -newkey rsa:2048 -nodes \
  -subj "/CN=$CN/O=ssystems/L=Berlin/ST=Berlin/C=DE" \
  -keyout mykey.pem -out myreq.pem

Verify the request

Before you send the request to your CA of choice, you may check if the request contains the extensions:

/opt/wwwroot/bin/openssl req -text -in myreq.pem

You should see a block like this:

        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:www.example.com, DNS::www1.example.org, DNS::www2.example.org
            X509v3 Basic Constraints:
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment

Shibboleth and Subject Alternative Name

Different SP / Metadata cert

It is possible to set up a shibboleth SP with a simple cert (without Subject Alternative Name) and serving the contents with a extended cert.

ssl_vhosts.txt · Last modified: 2012/03/24 03:10 (external edit)
Recent changes RSS feed Creative Commons License Driven by DokuWiki Made on Mac