17 Nov 2009 waffel   » (Journeyer)

create self signed multi domain certificate


I have a domain mydomain.com with some sub level domains like

  • nexus.mydomain.com
  • svn.mydomain.com
  • www.mydomain.com

Now I need a self signed certificate for all these domains because I want to use them over HTTPS. There are some steps to do this. First of all: you don’t need for this propose your own root certificate. You should replace all occurence of mydomain.com with your own domain name and sub domains.

On the gentoo server where the apache should host the domains, I have to create the certificate. I do following steps:

  1. Generate a private key
    openssl genrsa -des3 -out server.key 1024
    
  2. Generate a CSR (Certificate Signing Request)
    openssl req -new -key mydomain.key -out mydomain.csr
    
    Country Name (2 letter code) [DE]:DE
    State or Province Name (full name) [Sachsen]:Sachsen
    Locality Name (eg, city) [Leipzig]:Leipzig
    Organization Name (eg, company) [My Company Ltd]:mydomain.com
    Organizational Unit Name (eg, section) []:Information Technology
    Common Name (eg, your name or your server's hostname) []:mydomain.com
    Email Address []:thomas dot wabner at mydomain dot com
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    
  3. Remove Passphrase from Key
    cp mydomain.key mydomain.key.org
    openssl rsa -in mydomain.key.org -out mydomain.key
    
  4. Generating a Self-Signed Certificate

    To include all required subdomains a extensions file must be used. For example I have created a file /home/waffel/ssl/mydomain_extensions with following content:

    [ mydomain_http ]
    nsCertType      = server
    keyUsage        = digitalSignature,nonRepudiation,keyEncipherment
    extendedKeyUsage        = serverAuth
    subjectKeyIdentifier    = hash
    authorityKeyIdentifier  = keyid,issuer
    subjectAltName          = @mydomain_http_subject
    [ mydomain_http_subject ]
    DNS.1 = www.mydomain.com
    DNS.2 = nexus.mydomain.com
    DNS.3 = trac.mydomain.com
    DNS.4 = svn.mydomain.com
    

    The last command to create the certificate is:

    openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt -extfile /home/waffel/ssl/mydomain_extensions -extensions mydomain_http
    

In the apache configuration for the ssl host’s I have enabled the ssl module with following content:

...
ServerAlias svn.mydomain.com trac.mydomain.com nexus.mydomain.com

        ErrorLog /var/log/apache2/ssl_mydomain_error_log
        <IfModule log_config_module>
                TransferLog /var/log/apache2/ssl_mydomain_access_log
        </IfModule>

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /etc/apache2/ssl/mydomain.crt
        SSLCertificateKeyFile /etc/apache2/ssl/mydomain.key
        SSLCertificateChainFile /etc/ssl/cacert.pem
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory "/var/www/localhost/cgi-bin">
                SSLOptions +StdEnvVars
        </Directory>
        <IfModule log_config_module>
                CustomLog /var/log/apache2/ssl_mydomain_request_log \
                        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
        </IfModule>
...

For exmaple if you need such certificate to connect your maven with a self installed nexus repositiory over https you can follow the article from ahoehma.

A more detailed description with some beckground information about the certificate creation can be found here.

Posted in administration, webmaster Tagged: apache, certificate, domain, extensions, https, multi, openssl, self, signed, ssl

Syndicated 2009-11-17 16:29:37 from waffel's Weblog

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!