waffel’s Weblog

November 17, 2009

create self signed multi domain certificate

Einsortiert unter: administration,webmaster — Thomas Wabner @ 6:29 nachmittags
Tags: , , , , , , , , ,

I have a domain mydomain.com with some sub level domains like

Now I need a self signed certificate for all these domains because I want to use them over HTTPS. There are some steps to do this. First of all: you don’t need for this propose your own root certificate. You should replace all occurrence of mydomain.com with your own domain name and sub domains.

On the gentoo server where the apache should host the domains, I have to create the certificate. I do following steps:

  1. Generate a private key
    openssl genrsa -des3 -out mydomain.key 1024
    
  2. Generate a CSR (Certificate Signing Request)
    openssl req -new -key mydomain.key -out mydomain.csr
    
    Country Name (2 letter code) [DE]:DE
    State or Province Name (full name) [Sachsen]:Sachsen
    Locality Name (eg, city) [Leipzig]:Leipzig
    Organization Name (eg, company) [My Company Ltd]:mydomain.com
    Organizational Unit Name (eg, section) []:Information Technology
    Common Name (eg, your name or your server's hostname) []:mydomain.com
    Email Address []:thomas dot wabner at mydomain dot com
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    
  3. Remove Passphrase from Key
    cp mydomain.key mydomain.key.org
    openssl rsa -in mydomain.key.org -out mydomain.key
    
  4. Generating a Self-Signed Certificate

    To include all required subdomains a extensions file must be used. For example I have created a file /home/waffel/ssl/mydomain_extensions with following content:

    [ mydomain_http ]
    nsCertType      = server
    keyUsage        = digitalSignature,nonRepudiation,keyEncipherment
    extendedKeyUsage        = serverAuth
    subjectKeyIdentifier    = hash
    authorityKeyIdentifier  = keyid,issuer
    subjectAltName          = @mydomain_http_subject
    [ mydomain_http_subject ]
    DNS.1 = www.mydomain.com
    DNS.2 = nexus.mydomain.com
    DNS.3 = trac.mydomain.com
    DNS.4 = svn.mydomain.com
    

    The last command to create the certificate is:

    openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt -extfile /home/waffel/ssl/mydomain_extensions -extensions mydomain_http
    

In the apache configuration for the ssl host’s I have enabled the ssl module with following content:

...
ServerAlias svn.mydomain.com trac.mydomain.com nexus.mydomain.com

        ErrorLog /var/log/apache2/ssl_mydomain_error_log
        <IfModule log_config_module>
                TransferLog /var/log/apache2/ssl_mydomain_access_log
        </IfModule>

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /etc/apache2/ssl/mydomain.crt
        SSLCertificateKeyFile /etc/apache2/ssl/mydomain.key
        SSLCertificateChainFile /etc/ssl/cacert.pem
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory "/var/www/localhost/cgi-bin">
                SSLOptions +StdEnvVars
        </Directory>
        <IfModule log_config_module>
                CustomLog /var/log/apache2/ssl_mydomain_request_log \
                        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
        </IfModule>
...

For example if you need such certificate to connect your maven with a self installed nexus repositiory over https you can follow the article from ahoehma.

A more detailed description with some background information about the certificate creation can be found here.

About these ads

4 Kommentare »

  1. Hi, thanks for the tutorial!

    Is it possible to use it for multiple virtual servers?
    Your Apache configuration seems to use only one server
    (www.*) and several aliases for it.

    André

    Kommentar von André — Februar 14, 2010 @ 10:29 nachmittags | Antwort

  2. > Is it possible to use it for multiple virtual servers?

    It depends on how the “virtual servers” are configured in apache.
    In general – the answer is “yes” – you can add as many domain names (e.g. http://www.mydomain.com, webmail.anotherdomain.net) to the certificate as you want to.

    But you should remind the fact, that name based virtual aliasing for SSL is a bit problematic with apache – this is not apache’s fault, but a general problem. See http://httpd.apache.org/docs/2.0/vhosts/name-based.html (“Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol.”) – a solution for this question is off-topic here, but probably you already know about it… ;-)

    Regards
    -stefan-

    Kommentar von Stefan Palme — Februar 16, 2010 @ 4:08 nachmittags | Antwort

  3. Thanks, good work.
    A small error: You create a private file “server.key” (1) and refer it as mydomain.key (2).

    Kommentar von hamatoma — Februar 25, 2014 @ 1:24 vormittags | Antwort


RSS-Feed für Kommentare zu diesem Beitrag. TrackBack URI

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden / Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden / Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden / Ändern )

Google+ photo

Du kommentierst mit Deinem Google+-Konto. Abmelden / Ändern )

Verbinde mit %s

The Rubric Theme Bloggen Sie auf WordPress.com.

Follow

Erhalte jeden neuen Beitrag in deinen Posteingang.

Schließe dich 28 Followern an

%d Bloggern gefällt das: