Search This Blog

Generate a self-signed multiple domain (UCC) SSL certificate

  • Option 1: using openssl
    • Find openssl.cnf
      sudo find / | grep openssl.cnf
      • On Mac OS X, it is /System/Library/OpenSSL/openssl.cnf
      • On Ubuntu Linux, it is /usr/lib/ssl/openssl.cnf
    • Make a copy of openssl.cnf to /tmp/openssl.cnf
      cp /usr/lib/ssl/openssl.cnf /tmp/openssl.cnf
    • Edit /tmp/openssl.cnf and append following line in [v3_ca] section:
      [v3_ca]
      ... ... ...
      subjectAltName = @alternate_names
      
      then append [alternate_names] section:
      [alternate_names]
      DNS.1 = mediaflux.localhost
      DNS.2 = daris.localhost
      
      Also, modify
      copy_extensions = copy
      
      It ensures the SANs are copied into the certificate.
    • Generate private key:
      openssl genrsa -out private.key 3072 -nodes openssl req -new -x509 -key private.key -sha256 -config /tmp/openssl.cnf -out public.crt -days 730 -subj "/C=AU/ST=Victoria/L=Melbourne/O=W/OU=WL/CN=localhost"
  • Option 2: using Java keytool
    • keytool -selfcert -genkeypair -keystore /tmp/certs -alias mflux -storepass password -keyalg "RSA" -validity 3650 -dname "cn=localhost, ou=WL, o=W, l=Melbourne, st=Victoria, c=AU" -ext san=dns:daris.localhost,dns:mediaflux.localhost

see also

No comments:

Post a Comment