README


home
@j4cob

Generate a self-signed SSL certificate with subjectAlternateName extension

06 Dec 2010

It’s often useful to create self-signed SSL certificates for testing or when you don’t need the authentication that CA signing provides.  I started with Akadia’s handy tutorial on self-signing here: http://www.akadia.com/services/ssh_test_certificate.html.

Then I needed to add a list of subjectAlternateName (SAN) fields.  This is an x509v3 extension that allows a single certificate to be valid for multiple DNS names.  Here’s a shortened version of how to create a self-signed cert using those fields:

<br /> echo -e >extensions.cnf "basicConstraints=CA:true\nsubjectAltName=DNS:mysite1.com, DNS:mysite2.com"

``

```It’s often useful to create self-signed SSL certificates for testing or when you don’t need the authentication that CA signing provides.  I started with Akadia’s handy tutorial on self-signing here: http://www.akadia.com/services/ssh_test_certificate.html.

Then I needed to add a list of subjectAlternateName (SAN) fields.  This is an x509v3 extension that allows a single certificate to be valid for multiple DNS names.  Here’s a shortened version of how to create a self-signed cert using those fields:

<br /> echo -e >extensions.cnf "basicConstraints=CA:true\nsubjectAltName=DNS:mysite1.com, DNS:mysite2.com"

``

Import server.crt into your list of trusted root certs and install server.crt and server.key in your Apache configuration. Your Apache should now be able to serve trusted SSL for the domains you specified, to your browser or any other one that imports your new certificate as a root.

NOTE: Guard your server.key carefully. Because you have just imported this as a CA cert, an attacker who gained control of your server.key could use it to impersonate any server on the web to you.