Find it...

    Create certificates with multiple hostnames

    To create CSRs (Certificate signing requests) for certificates with more than one domain, you must use openssl commands and a small configuration file.
    If you use Mac OS X or Linux, you probably already have the openssl commands installed in your terminal, if not you can issue the commands using SSH to connect to the Management node, and use a SCP client like WinSCP to copy files to and from your PC. If this is your best choice, I recommend to create the configuration file on Windows first, before uploading.
    Create a file called for example create-cert.cnf
    Make sure the alt_names match all your Subject Alternate names.
    alt_names must also include the common name.
    The example below has as pool name, and eu-px01 and eu-pool as subject alternate names.
    The below config example has default values set to fit us, but you can set your own default values if you like. This is just to save some time when actually creating the CSRs.
    create-cert.cnf contents (please edit alt_names)
    distinguished_name = create_certificate
    req_extensions = v3_req
    countryName = Country Name (2 letter code)
    countryName_default = NO
    stateOrProvinceName = State or Province Name (full name)
    stateOrProvinceName_default = Oslo
    localityName = Locality Name (eg, city)
    localityName_default = Oslo
    organizationalUnitName = Organizational Unit Name (eg, section)
    organizationalUnitName_default = Pexip
    commonName = Certificate name (full hostname)
    commonName_max = 64
    [ v3_req ]
    # Extensions to add to a certificate request
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName = @alt_names
    DNS.1 =
    DNS.2 =
    Openssl Command to create CSR based on contents of ‘create-cert.cnf':
    openssl req -nodes -newkey rsa:2048 -keyout eu-px01.key -out eu-px01.csr -config create-cert.cnf
    This will output two files:

    Your private key, keep it safe, you will need it when uploading cert to the conference nodes. 
    Send to your cert provider for him to provide a base64 PEM certificate back to you
    Misc openssl commands that is useful for faultfinding:
    Check certificates presented when connecting
    openssl s_client -connect -showcerts

    They will not appear in a very readable format, but you can see if there are more of them at least. If it is only one this must be issued directly by the Root CA.

    Check contents of .csr:
    openssl req -noout -text -in myCertificate.csr
    Connect to a host to check if it returns  
    openssl s_client -connect -showcerts
    OpenSSL one-liner CSR for one domain if not using multi domains?
    openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out myserver.csr -subj "/C=NO/ST=Oslo/L=Oslo/O=Pexip/"
    Was this article helpful?
    2 out of 2 found this helpful