At work I have several systems that provide SSL encrypted services but respond to multiple host-names. For instance an LDAP server may be named server1.example.com but have DNS aliases of ldap-1.example.com and directory.example.com. If a client system connects to ldap-1.example.com and the server returns an SSL certificate with a common name of server1.example.com ugliness will ensue.
To get around this problem one can install SSL certificates that employ the subjectAltName extension.
To be deployed properly you will need to either be running your own certificate authority (beyond the scope of this document) or using commercially signed certificates. If you are purchasing certificates you should check with your CA first to see if they are willing to sign certificate requests that employ the subjectAltName extension.
Generating the Certificate Signing Request (CSR)
First edit the openss.cnf file (location may vary depending on OS) and add the v3_req extension. Locate the [ req ] section and add
req_extensions = v3_req
Next find the [ v3_req ] section and add a subjectAltName line containing the appropriate DNS names (in this case I will be using server1.example.com, ldap-1.example.com and directory.example.com):
subjectAltName = “DNS:server1.example.com, DNS:ldap-1.example.com, DNS: directory.example.com”
Generate a Private Key
To generate a CSR we need a private key, generated with the following command. This file should never be world readable and needs to be carefully protected.
# ( umask 077; openssl genrsa 2048 > server1-ldap-key.pem )
Generate the CSR
# openssl req -nodes -new -key server1-ldap-key.pem -out server1-ldap-req.pem
Answer the question prompts. When prompted for your Common Name enter the primary host-name of the system.
Signing the CSR
In order to include the extensions in the signed certificate the CA must be configured to copy extensions from the CSR. This is potentially dangerous if you do not fully trust the source of the CSR! You may want to enable it on a per-signing basis.
Locate the openssl.cnf file on your CA. Find the appropriate CA section (usually [ CA_default ]) and add or un-comment the following line:
copy_extensions = copy
Copy the server1-ldap-req.pem file to your CA and sign it with the following command:
# openssl ca -keyfile [path to CA private key] -in server1-ldap-req.pem -out server1-ldap-cert.pem
The presence of the subjectAltName extension can be verified using this command:
# openssl x509 -in server1-ldap-cert.pem -noout -text
Look for the X509v3 Subject Alternative Name: section.
Now just install the certificate and private key as you would with any other certificate/key pair.