Skip to main content

Subject Alernative names with Openssl


In this post we will see, how can we create CSR with SAN, which stands for Subject Alternative Names and obviously using openssl command.

For those who do not know what is SAN, let me cover this in short.There are 3 main types of SSL

  •  Standard SSL  :- Used for securing single domain. like www.domain.com, i,e one domain -- one certificate
  • Wild card SSL : - Used for securing multiple sub-domains like home.domain.com office.domain.com in single certificate, i.e multiple subdomain --- single certificate
  • Multi-domain SSL : -- Used for securing multiple domains, like www.domain.com, www.home.com, www.office.net, i,e multiple domains --- single certificate.

So, SAN comes under multiple domains certificate category.

When you purchase a multi-domain certificate from certificate issuing authority ,they give you options of defining SAN along with primary domain.

So, Here we are discussing about how to create CSR(which is required while purchasing the certificate) with SAN itself.And why we are doing this ??

Answer is now a days we see,some Certificate issuing authority , does not include SANs when we purchased a certificate from them,like if I purchased certificate for www.domain.com, the certificate will not include domain.com, which some times creates issues for getting PCI  (Product card industry) certificate for E-commerce sites.

PCI is getting Necessary for E-commerce site now a-days .Lets see then,how to create CSR with SAN

Hopefully you have Linux box with you, with root permission. then do the following

Step 1 : 

Add below lines in file if its not present.
vi /etc/pki/tls/openssl.cnf

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req


###Now we'll go own down to the v3_req section and make sure that it includes the following:

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names  --->>>> This is IMP, if not present , then add this line.

##Then add below line in same file under [ v3_req ]

[alt_names]
DNS.1 = kb.domain.com
DNS.2 = home.domain.net
DNS.3 = systems.domain.com

## ---- > Denotes comments here.

Step 2 :

save the file.

Step 3 :  

Run below command on the linux terminal,replacing the contents of the commands as per your need

openssl req -new -newkey rsa:2048 -nodes -sha256 -out domain.csr -keyout domain.key -subj "/C=us/ST=Florida/L=Jacksonville/O=Company/OU=IT Department/CN=www.domain.com" -config /etc/pki/tls/openssl.cnf

Above command helps you remove some vulnerabilities you might get from PCI Vendor related to SSL Certificate.


Comments

  1. Excellent beat ! I would like to apprentice while you amend your website, how can i subscribe for a blog web site?
    The account helped me a acceptable deal. I had been a little bit acquainted of
    this your broadcast offered bright clear concept

    ReplyDelete
  2. Glad you Liked it! You can subscribe the blog by following through email option which you can find on your right side of webpage.

    ReplyDelete

Post a Comment

Popular posts from this blog

Solution and Step to fix CVE-2019-5736 Vulnerability - Docker

Recently a new vulnerability has been discovered in the the internet market having target to Docker services. What is this Vulnerability: In short, Docker service uses another service called as runc which is container run time to spawn and run containers. which simply means if docker task is to create docker images then runc task would be running them and attaching a process to container. So as per the recent discovery by the maintainers of runc, the code of this service was having some bug which can be used by attackers to gain the root level of access of the host machine on which docker containers are running. How it can be Exploited: This vulnerability can be exploited in two ways (1) if the docker images are in use is vulnerable making the containers build from it vulnerable also (2) if somehow attacker got the access of containers and then trying to exploit using the bug present in runc and trying to get root privileges. Solution to Fix Vulnerability: Ce

How to Generate CSR using Openssl in Linux

Before Generating CSR ,let see what is Openssl. It is nothing but a core library ,which is used for general purpose in cryptography,it is an open source product which work towards the implementation of SSL and TLS protocols. Talking about openssl, some people called the certificates generated from openssl as "self signed certificate". lets go towards now,creating CSR and private key using openssl command, Just log in to any of your Linux box and run following command as  root user  replacing the required information as per your need . [root@SVR home]#   openssl req -new -newkey  rsa:2048 -nodes -sha256 -out domain_name.csr -keyout domain_name.key -subj "/C=US/ST=state/L=locality/O=organization/OU=organization unit Dept/CN=www.domain.com"  You will get output like : Then check whether ,all the information we have entered ,while creating CSR is proper ,by decoding the CSR from some online tool. First do the cat to the csr file [root@SVR home]#  cat

Multiple instances of redis

In the last post I have covered how to install redis server on Centos/Rhel using rpm method and yum method and some troubleshooting skills. In this post i am going to cover how to install and configure redis to run with multiple ports.                                                                           But why we need more ports ? If you have read my earlier post , you already know that by default redis runs on single port 6379, which any one can use it for small website to cache the data. But for heavy website like magento we need to use additional ports along with 6379 to serve different cache from different ports. Like in Magento there is simple cache which is normally stored under /var/cache directory. Then there is Full Page Cache which is stored under /var/full_page_cache and session cache which is stored under /var/session_cache. Note : Discussion about cache/full page cache/session is not under the scope for this document.