Find it...

    Create certificates with multiple hostnames

    Follow
    To create CSRs (Certificate signing requests) for certificates with more than one domain, you must use openssl commands and a small configuration file.
     
    If you use Mac OS X or Linux, you probably already have the openssl commands installed in your terminal, if not you can issue the commands using SSH to connect to the Management node, and use a SCP client like WinSCP to copy files to and from your PC. If this is your best choice, I recommend to create the configuration file on Windows first, before uploading.
     
    Create a file called for example create-cert.cnf
    Make sure the alt_names match all your Subject Alternate names.
    alt_names must also include the common name.
     
    The example below has eu-pool.example.com as pool name, and eu-px01 and eu-pool as subject alternate names.
     
    The below config example has default values set to fit us, but you can set your own default values if you like. This is just to save some time when actually creating the CSRs.
     
     
    create-cert.cnf contents (please edit alt_names)
    [req]
    distinguished_name = create_certificate
    req_extensions = v3_req
     
    [create_certificate]
    countryName = Country Name (2 letter code)
    countryName_default = NO
    stateOrProvinceName = State or Province Name (full name)
    stateOrProvinceName_default = Oslo
    localityName = Locality Name (eg, city)
    localityName_default = Oslo
    organizationalUnitName = Organizational Unit Name (eg, section)
    organizationalUnitName_default = Pexip
    commonName = Certificate name (full hostname)
    commonName_max = 64
     
    [ v3_req ]
    # Extensions to add to a certificate request
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName = @alt_names
     
    [alt_names]
    DNS.1 = eu-px01.pexipdemo.com
    DNS.2 = eu-px.pexipdemo.com
     
     
    Openssl Command to create CSR based on contents of ‘create-cert.cnf':
     
    openssl req -nodes -newkey rsa:2048 -keyout eu-px01.key -out eu-px01.csr -config create-cert.cnf
     
     
    This will output two files:

    eu-px01.key
    Your private key, keep it safe, you will need it when uploading cert to the conference nodes. 
     
    eu-px01.csr
    Send to your cert provider for him to provide a base64 PEM certificate back to you
     
     
     
    Misc openssl commands that is useful for faultfinding:
     
    Check certificates presented when connecting
    openssl s_client -connect eu-px01.pexipdemo.com:5061 -showcerts

    They will not appear in a very readable format, but you can see if there are more of them at least. If it is only one this must be issued directly by the Root CA.

     
    Check contents of .csr:
    openssl req -noout -text -in myCertificate.csr
     
    Connect to a host to check if it returns  
    openssl s_client -connect eu-px01.example.com -showcerts
     
    OpenSSL one-liner CSR for one domain if not using multi domains?
    openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out myserver.csr -subj "/C=NO/ST=Oslo/L=Oslo/O=Pexip/CN=example.pexipdemo.com"
    Was this article helpful?
    2 out of 2 found this helpful

    Comments