CategoriesSecurity

Creating a Certificate Signing Request (CSR) with multiple Subject Alternative Names (SAN) using OpenSSL – Wait, it’s all secure? Always has been.

Introduction

When you want to use digital certificates (also known als public key certificate) to establish a secure connection between computers, you will need to create a certificate signing request. A certificate is most commonly used for SSL/TLS, which is to provide confidentiality and integrity between two communicating applications.

The Subject Alternative Name (SAN or subjectAltName) is a field which allows you to define additional host names to be secured by a single certificate (also known as a Multi-Domain Certificate). For example, this can be useful when you have many domains/subdomains that needs to be secured. In terms of finances and pragmatism, you may not want to purchase different certificates as this might get expensive or having multiple certificates can be bothersome to implement.

You might be thinking, this sounds like a wildcard certificate! You’re not wrong as both type of certificates are quite similar. Both SAN and wildcard certificates allows you to secure multiple (sub)domains. However, a wildcard certificate cannot protect both identandy.com and identandy.org as the top-level domain (TLD) is different. A wildcard certificate only protects the primary domain (as defined in the Common Name) and any subdomains. Plus, wildcard certificates shouldn’t be used anymore since it’s deprecated as shown in section 7.2 of RFC 6125.

7.2. Wildcard Certificates This document states that the wildcard character ‘*’ SHOULD NOT be included in presented identifiers but MAY be checked by application clients (mainly for the sake of backward compatibility with deployed infrastructure).

Instructions

  1. Ensure that you have the latest version of OpenSSL installed.
  2. Create a new text file using your favorite simple text editor and name it request.config.
  3. Copy the following text to the request.config file and change the C\ST\L\O\OU\CN\DNS.* attributes accordingly. Go to chapter Definitions and Examples for more information regarding these attributes.

Syntax of a request.config file:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = <countryName>
ST = <stateOrProvinceName>
L = <localityName>
O = <organizationName>
OU = <organizationalUnit>
CN = <commonName>
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = <hostName>
DNS.2 = <hostName>

Example of a request.config file:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = NL
ST = Noord-Holland
L = Amsterdam
O = Identandy
OU = Public Relations
CN = identandy.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = identandy.com
DNS.2 = subdomain.identandy.com
DNS.3 = identandy.net
  1. Ensure that there aren’t any whitespaces at the beginning or the end of the lines.
  2. Start the following command to create the certificate signing request.

Syntax of an OpenSSL command to create a CSR:

openssl req -new -out <csr_file> -newkey rsa:2048 -nodes -sha256 -keyout <private_key> -config <request.config>

Example of an OpenSSL command to create a CSR:

openssl req -new -out identandy_com.csr -newkey rsa:2048 -nodes -sha256 -keyout identandy_com_private.key -config request.config
  1. After executing the OpenSSL command you will be greeted with the following message and your CSR (identandy_com.csr) and private key (identandy_com_private.key) have been created.
Generating a RSA private key
....+++++
......+++++
writing new private key to 'identandy_com_private.key'
-----
  1. Start the following command to verify the certificate signing request
openssl req -text -noout -verify -in identandy_com.csr

verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = NL, ST = Noord-Holland, L = Amsterdam, O = Identandy, OU = Public Relations, CN = identandy.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ba:9e:94:bc:0b:36:35:18:3c:1d:f8:9b:34:47:
                    a6:a0:05:6c:18:29:06:f8:5e:e4:0a:45:42:4b:db:
                    58:1e:56:dd:c5:cb:7b:e1:c8:3c:0b:89:f8:9c:dd:
                    9c:5a:bd:9e:8b:7c:4b:5e:00:cb:71:02:9f:78:af:
                    d5:de:41:d2:7e:97:36:08:28:75:b1:ff:5b:ac:87:
                    17:d3:4b:23:7f:27:42:7c:34:f5:d9:58:94:b6:f4:
                    42:06:02:27:61:ea:54:09:d5:b9:31:b0:72:a2:17:
                    a4:95:61:3d:e7:81:2f:cc:cf:52:f0:e9:05:89:3b:
                    68:59:4f:17:21:58:d1:e5:e0:32:1c:03:cb:43:25:
                    60:1f:a3:b7:49:c3:07:d5:0a:77:9a:fc:d5:02:32:
                    d8:18:d9:84:9c:e1:69:cd:b4:d3:6a:3c:6c:43:0d:
                    22:29:1e:f9:07:58:e0:0b:50:d1:77:04:41:bd:7c:
                    45:c7:ad:45:15:3e:b6:48:d7:bc:9b:b1:56:32:2e:
                    02:23:7a:c9:20:6c:f5:10:87:f6:e2:b7:2b:6a:a6:
                    9b:a0:3c:2e:49:87:8c:89:37:5b:8e:cf:e4:06:1f:
                    8e:dc:90:71:78:9d:2c:2c:1c:bd:dc:db:a7:64:ac:
                    7d:a6:1a:d9:f7:cc:78:69:13:f6:7f:98:52:97:65:
                    a5:4f
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Key Usage:
                Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:identandy.com, DNS:subdomain.identandy.com, DNS:identandy.net
    Signature Algorithm: sha256WithRSAEncryption
         37:39:f8:4d:c2:71:c6:30:74:4f:de:dd:21:92:56:5e:55:bf:
         f4:80:cb:fa:0c:25:34:48:c5:be:77:5a:4e:f6:b7:3c:bf:40:
         8e:40:35:58:2a:e6:63:f6:5f:95:c8:bc:1b:c5:da:e2:d7:04:
         12:44:cd:0a:95:13:5b:87:a9:a4:d0:91:f8:d9:2f:e1:8e:a1:
         76:ea:60:cc:cd:a3:34:75:cb:ad:cd:f5:63:10:33:69:3a:fc:
         b4:4e:89:b8:e9:42:0b:af:62:4a:08:ac:0d:b8:fb:e1:3c:fe:
         ee:92:46:5e:e9:22:41:b0:68:93:a6:56:b1:6b:f4:c1:eb:54:
         a9:c9:5b:c7:e0:de:17:57:3e:79:90:eb:13:dd:12:c1:52:2c:
         75:e5:7f:13:73:8a:82:67:b2:66:3f:8a:fd:e6:04:4b:08:11:
         a2:b0:03:9f:cb:a8:41:fc:4a:ea:21:c7:1c:68:b9:65:6b:61:
         0a:b3:14:52:b5:c7:51:68:6f:d0:e8:f3:cf:cf:ff:af:27:7e:
         9b:ef:7a:10:ab:2e:48:4e:7a:49:4b:10:b7:6d:92:11:f2:e1:
         99:92:f1:c5:bc:6e:32:e7:d9:48:3a:66:f4:31:26:a2:e5:87:
         d9:de:39:0e:40:87:3c:b7:d3:e7:60:ca:9a:4f:1a:3d:f0:43:
         6f:32:f5:a5

And there you have it! That’s all you need to do to generate a CSR using OpenSSL. I hope that you have find it useful and if you have any questions leave a comment below.

Definitions and Examples

Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. The goal of confidentiality protection is to prevent or minimize unauthorized access to data. Confidentiality focuses security measures on ensuring that no one other than the intended recipient of a message receives it or is able to read it. Confidentiality protection provides a means for authorized users to access and interact with resources, but it actively prevents unauthorized users from doing so. A wide range of security controls can provide protection for confidentiality, including, but not limited to, encryption, access controls, and steganography.

Integrity is the concept of protecting the reliability and correctness of data. Integrity protection prevents unauthorized alterations of data. It ensures that data remains correct, unaltered, and preserved. Properly implemented integrity protection provides a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by authorized users (such as mistakes and oversights).

Country Name (CN) Use the two-letter country code based on ISO 3166-1 alpha-2. Example: NL

State or Province (S) Spell out the state completely; do not abbreviate the state or province name. Example: Noord-Holland

Locality or City (L) Spell out the city or town name completely; do not abbreviate the locality or city name. Example: Amsterdam

Organization (O) If the company or department has an &, @, or any other symbol, the symbol must be spelled out or omitted. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation. 

Organizational Unit (OU)  The Organizational Unit (OU) field is the name of the department or organization unit making the request.

Common Name (CN) The Common Name (CN), also known as the Fully Qualified Domain Name (FQDN), is the characteristic value within a Distinguished Name. Example: identandy.com

Leave a Reply

Your email address will not be published. Required fields are marked *