NOT JUST THE “ADDITIONAL” ENTRIES.
CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software.
As of chrome 58+ this is why you will have problems and should follow these instructions :)
Enough with the warnings…let’s get shit done!
while not necessary since the openssl.cnf has the CA sections separate from the user sections, I like to get my CA setup self-contained in a directory.
your cwd needs to be wherever you’re gonna generate. if you don’t know what that means quit now!
cp /etc/ssl/openssl.cnf openssl-san.cnf
cp /etc/pki/tls/openssl.cnf openssl-san.cnf
cp /usr/ssl/openssl.cnf openssl-san.cnf
cp /System/Library/OpenSSL/openssl.cnf openssl-san.cnf
... [req] req_extensions = v3_req [v3_req] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = server1.yourdomain.tld DNS.2 = mail.yourdomain.tld DNS.3 = www.yourdomain.tld DNS.4 = www.sub.yourdomain.tld DNS.5 = mx.yourdomain.tld DNS.6 = support.yourdomain.tld
My notes on generating private keys and CSR’s. (that I never remember)
Used with, for example, a new HTTPS server.
openssl req -newkey rsa:4096 -nodes -keyout cryp7.net.key -out cryp7.net.csr -days 365
-nodesplaces an unencrypted copy of the private key in the server’s key file. This is typically used so that the sysadmin doesn’t need to type in the password when restarting apache; for example.
!!!You should secure this with restrictive permissions at a minimum!!!
Answer the prompts noting:
chown root:root cryp7.net.key chmod 0400 cryp7.net.key
Used, for example, to sign your own intermediate CA certificate
openssl req -new -config openssl.cnf -key private/vpn.ca.key -out vpn.ca.csr -days 1825
since you’re specifying the openssl.cnf, all prompts should all be defaulted as desired.
Now send off the server.csr to your CA.
once sent, the CSR is no longer needed.
Combines the public and private key in an encrypted format (symmetrical) for use with email clients, etc.
openssl pkcs12 -export -in my.crt -inkey my.key -in root.pem -out my.p12
openssl pkcs12 -export -in my.crt -inkey my.key -out my.p12