Creating Multiple Hostname Certificates with OpenSSL on OpenSuSE 15
Hi everybody.
On my previous article, I showed you how to Configure and Enable #SSL on #Apache 2 for OpenSuSE 15. In that article I used a #certificate created for a single host name, but you can create certificates with multiple host names (aliases), making it possible to allow a single virtual host to respond to multiple host names.
For example, my company may have multiple customers which relies on my Information Technology Service, using my hosted e-mail server. Let's name them:
- CompuNext - My IT company hosting e-mail services
- EatIT - Food industry
- BillBoardBroad - Billboard exhibition company
CompuNext's e-mail server is HTTPS published using webmail.compunext.net hostname, but it's customers want to use their domains, giving a more professional look to their users. So, their e-mail server's host names would be:
- webmail.eatit.com
- webmail.billboardbroad.com
In this case, you will have to create a certificate request containing multiple host names (aliases) but, by default, #openssl doesn't have this option. You have to edit openssl's default configuration file so it will ask you to input additional server names and also you will have to enable v3 Request Extensions to certificate request to be able to use multiple server names fields.
To edit openssl configuration file, copy the default configuration file to a safe location and open it with your favorite text editor:
- cp /etc/ssl/openssl.cnf /etc/apache2/ssl.key/webmail.cnf
- vi /etc/apache2/ssl.key/webmail.cnf
Look for the text req_extensions = v3_req. If your OpenSSL configuration file does not have this line, please add it after string_mask = utf8only line. It will look like this:
This will enable additional fields input, so you'll be able to type additional server names.
Optionally you can edit nsComment field to reflect your company's information.
Look for v3_req section. Add the following line after the last line of this section:
- subjectAltName = @alt_names
The @alt_names variable will instruct OpenSSL to create an additional section and to insert additional fields. After the recently created last line on v3_req section, create an additional section named alt_names and type the field DNS followed by a field index, line by line, followed by the disired server name. For example:
- [ alt_names ]
- DNS.1 = webmail.eatit.com
- DNS.2 = webmail.billboardbroad.com
It will look like this...
Save your webmail.cnf OpenSSL configuration file and close your text editor.
Remember that on my previous article you learned how to create a server private key. If you still have it, there is no need to create a new one.
Now, you can use openssl command to generate a Certificate Signing Request based on webmail server private key and openssl configuration file. If your .key file and webmail.cnf are placed at /etc/apache2/ssl.key, it will be easier to run openssl command.
- cd /etc/apache2/ssl.key
- openssl req -config webmail.cnf -new -key webmail.key -days 1095 -out ../ssl.csr/webmail_servers.csr
I added the "-days 1095" parameter to allow your final certificate to have 3 year of lifetime. If you believe that certificate default validity time period (1 year - 365 days) is enough, remove "-days 1095" parameter. The command will look like this:
After pressing Enter, you'll be asked to input some basic information, just as we did on my previous article.
Copy the webmail_servers.csr file to your desktop and open it with your preferred text editor. Copy the full webmail_servers.csr file content, go to your certificate server and follow the Web Server certificate generation procedure on "Configuring and Enabling SSL on Apache 2 for OpenSuSE 15" article.
Download your newly generated .cer file from your certificate on Base 64 format. Name it as webmail_servers.crt and copy to your OpenSuSE Server Apache Certificate folder: /etc/apache2/ssl.crt.
Now you have the following files:
- /etc/apache2/ssl.crt/webmail_servers.crt
- /etc/apache2/ssl.key/webmail.key
Open your webmail virtual host configuration file and add the following lines after ServerName line:
- ServerAlias webmail.eatit.com:443
- ServerAlias webmail.billboardbroad.com:443
If you did not change your original webmail.key file name and location, you do not have to change the SSLCertificateKey parameter. Change only the SSLCertificateFile.
- SSLCertificateFile /etc/apache2/ssl.crt/webmail_servers.crt
Take a look at webmail.conf file:
Save webmail.conf file and restart apache2 server by running systemctl restart apache2 command.
Remember: I'm using simple configurations based on my webmail server example placed on my previous article.
Apache is a powerfull web server with many possible configurations. Everything depends on your web application development and how it was conceived.
Apache can have a single flat Virtual Host ".conf" configuration file with multiple server entries, as well as it may have multiple ".conf" files for each application. Everything depend on how your web environment was developed.
So, as well as you can have a single ".key" file for multiple certificate generation, you can have multiple ".key" files, each one for a separate server. You can also have a single server certificate ".crt" file with multiple domain names, but also can have a single ".crt" file for each Virtual Host.
In this article, I'm trying to make everything simple. Do as many adaptions as needed to fit your environmental needs.
I hope you enjoy IT!
Thank you!