How to Generate and Update SSL SAN Certificate in Linux

What is SAN Certificate?

   The Subject Alternative Name (SAN) are also called as multi-domain SSL Certificate, which allows you to identify different domain names or even IP Address with one certificate. SAN Certificates are more flexible in terms. SAN certificate also cover unlimited server license and can be even used for shared hosting environment. Anyone who has more than one website’s can consider SSL SAN Certificate to protect it. 

For example, you can secure all these domains with a Single SAN Certificate.

www.quickfixlinux.com

quickfixlinux.com

www.support.quickfixlinux.net

support.quickfixlinux.net

1] Now, let us get into the steps on how to generate the SAN certificate from the server level.

To Create the SAN Cert, we need to add a few things to the <openssl.cnf> file. One would need to tell the openssl to create the CSR that includes the x509 V3 extension and to mention the list of Subject Alternative Names in the CSR file.


2] Locate the <openssl.cnf> file :

[root@quickfixlinux ~]# locate openssl.cnf

/etc/pki/tls/openssl.cnf

/usr/share/man/man5/openssl.cnf.5ssl.gz


3] Take a copy of the existing openssl.cnf file before we edit with the changes.

# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.28Mar18  


4] Use your favourite editor to edit the openssl.cnf file:

# vim /etc/pki/tls/openssl.cnf

Edit the changes as below:


[req]

req_extensions = v3_req

[ v3_req ]

subjectAltName = @alt_names


[alt_names]

DNS.1 = www.quickfixlinux.com

DNS.2 = quickfixlinux.com

DNS.3 = www.support.quickfixlinux.net

DNS.4 = support.quickfixlinux.net

That is all save the file and exit.


5] Now, we can create the CSR using the modified openssl.cnf file, whereas, it will be adding the all 4 domains as Subject Alternative Names in the CSR key file.


6] Issue the below openssl command to generate the CSR file with the modified config file:

# cd /etc/pki/tls/

# openssl req -new -key quickfixlinux.com.key -out quickfixlinux.com.csr -config openssl.cnf

Whereas:

quickfixlinux.com.key -> Is the private key

quickfixlinux.com.csr  -> Is the CSR file

Error message:

I got the below error message while I try to create the private key and the CSR File.

This error message refers to the missing of private key in the desired path. If you are sure of the private key, you want to use, mention the private key path, if not you need to create the new private key for generating the CSR file.


ERROR MESASGE:
Error opening Private Key quickfixlinux.com.key

139770638227360:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen(‘quickfixlinux.com.key’,’r’)

139770638227360:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

unable to load Private Key

To overcome this error message, you need to first create the private key and then the CSR file.


6.1] To generate the private Key file for CERT generation:

# openssl genrsa -des3 -out quickfixlinux.com.key 2048

[root@quickfixlinux tls]# openssl genrsa -des3 -out quickfixlinux.com.key 2048

Generating RSA private key, 2048 bit long modulus

……………………+++

…………………………………………………………………..+++

e is 65537 (0x10001)

Enter pass phrase for quickfixlinux.com.key:

Verifying – Enter pass phrase for quickfixlinux.com.key:

Whereas, you can preferred to give your own password for pass phrase.


6.2] Try to list the content to see the private key :

[root@quickfixlinux tls]# ls -ltr

total 16

drwxr-xr-x. 2 root root     6 May 17  2017 private

lrwxrwxrwx. 1 root root    49 Aug 14  2017 cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

drwxr-xr-x. 2 root root   117 Mar 28 13:08 certs

drwxr-xr-x. 2 root root    74 Mar 28 13:08 misc

-rw-r–r–. 1 root root 11118 Mar 28 13:16 openssl.cnf

-rw-r–r–. 1 root root  1743 Mar 28 15:46 quickfixlinux.com.key


6.3] To check the generated key file is working.

[root@quickfixlinux tls]# openssl rsa -in quickfixlinux.com.key -check

Enter pass phrase for quickfixlinux.com.key:

RSA key ok

writing RSA key

—–BEGIN RSA PRIVATE KEY—–

…..

…..

…..

—–END RSA PRIVATE KEY—–


7] Now, run the below command to generate the CSR file :

[root@quickfixlinux tls]# openssl req -new -key quickfixlinux.com.key -out quickfixlinux.com.csr -config openssl.cnf

Enter pass phrase for quickfixlinux.com.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [XX]:SG

State or Province Name (full name) []:Singapore

Locality Name (eg, city) [Default City]:Singapore

Organization Name (eg, company) [Default Company Ltd]:Quickfinxlinux INC

Organizational Unit Name (eg, section) []:QFL

Common Name (eg, your name or your server’s hostname) []:quickfixlinux.com

Email Address []:fixadmin@quickfixlinux.com

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

For the pass phrase, you need to key in the password you have given while generating the private key.


8] To Verify the CSR file is working :

[root@quickfixlinux tls]# openssl req -noout -text -in quickfixlinux.com.csr

Certificate Request:

Data:

Version: 0 (0x0)

Subject: C=SG, ST=Singapore, L=Singapore, O=Quickfinxlinux INC, OU=QFL, CN=quickfixlinux.com/emailAddress=fixadmin@quickfixlinux.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:c4:81:56:67:2a:3a:6e:cc:fe:89:1a:d6:da:23:

ef:6e:87:e2:3b:ef:de:ee:d6:08:7e:aa:30:d0:e7:

1f:d1:ae:be:98:6a:04:2f:96:8e:dd:c2:75:2a:af:

e1:9d:78:86:8d:0e:92:8e:b3:cf:94:35:b5:4f:8f:

46:7e:87:30:8e:d1:fe:8f:58:4d:f9:86:0c:49:c4:

27:f1:ff:59:36:7d:01:8f:c5:86:00:c2:01:9f:3f:

58:f8:27:c9:2e:b3:5c:7a:94:82:ed:21:1b:93:5f:

62:d0:67:f7:de:4f:35:be:ba:51:93:e6:0b:14:6b:

52:bd:1e:29:31:17:94:36:42:5f:6d:71:ac:ee:21:

da:1f:60:88:9d:d5:c0:e9:5a:22:ae:e0:b5:88:5b:

49:56:67:8b:2a:d6:4f:5b:4f:b1:b7:c3:3b:46:c9:

88:cc:17:c0:15:9c:fe:07:d1:a7:7e:66:f1:43:c8:

98:21:80:57:fc:fb:24:ea:b9:cf:0f:d1:80:c5:41:

7d:64:2c:42:af:d3:ce:d0:85:76:ff:3f:e4:67:ea:

3c:64:08:d3:02:c9:1f:89:98:27:27:09:e1:b7:ae:

86:a5:ae:13:5e:f9:b0:e1:55:83:70:5b:71:c6:6d:

42:2d:d3:c5:a9:52:31:26:bb:15:8f:a4:3c:fd:af:

86:d3

Exponent: 65537 (0x10001)

Attributes:

Requested Extensions:

X509v3 Basic Constraints:

CA:FALSE

X509v3 Key Usage:

Digital Signature, Non Repudiation, Key Encipherment

X509v3 Subject Alternative Name:

DNS:www.quickfixlinux.com, DNS:quickfixlinux.com, DNS:www.support.quickfixlinux.net, DNS:support.quickfixlinux.net

Signature Algorithm: sha256WithRSAEncryption

96:e0:83:45:68:43:37:23:c4:5c:35:f3:30:e5:dc:a4:fa:20:

43:4e:3a:b0:a2:61:98:ef:ca:9e:4d:d7:8b:d9:73:76:6b:d1:

47:d6:0d:f2:b2:3a:e3:6a:5f:6f:33:c9:60:22:9b:2a:30:50:

0a:1c:66:77:c5:70:fd:f5:83:fa:75:87:13:d6:8f:54:2c:ed:

06:62:b9:4f:de:03:59:fe:64:19:67:09:67:5d:95:50:2b:fe:

50:3e:eb:2d:f1:77:ee:c5:66:e1:1e:c5:84:34:7f:ab:0f:d0:

33:52:47:f1:9d:98:b9:9a:9b:c3:4e:f9:04:41:1f:42:e1:a4:

96:c2:14:4f:00:ad:f2:65:25:c7:60:be:32:11:84:fe:a8:d9:

c0:26:75:c5:1d:a2:63:e4:c6:64:af:f6:b7:80:96:54:3d:29:

bc:d5:29:6b:ed:e5:f7:b8:7a:fe:b0:68:91:ef:c0:b2:9f:38:

75:cf:2a:14:36:a3:93:bc:53:a1:23:0e:18:68:8f:fa:85:25:

9f:7a:b3:d6:ae:29:08:c6:d4:ad:84:c5:a2:10:c8:ea:44:80:

87:cc:ac:e9:d6:ab:5f:33:c1:69:87:4f:8b:7d:7e:e6:9d:ce:

f5:27:ac:0d:cd:4e:a1:d7:d1:44:63:ca:2e:c1:e5:d4:1a:b7:

8b:4a:59:e8

Whereas, you can identify the 4 domains which you have mentioned in the openssl config file has been reflected in your CSR file.


9] To Verify the Server Certificate and the private key matches :

[root@quickfixlinux tls]# openssl rsa -modulus -noout -in /etc/pki/tls/private/quickfixlinux.com.key | openssl md5

Enter pass phrase for /etc/pki/tls/private/ quickfixlinux.com.key:

(stdin)= d6fce5e7e3039c58860e4fb3f78844b9

[root@quickfixlinux tls]# openssl x509 -modulus -noout -in /etc/pki/tls/certs/ServerCertificate.crt | openssl md5

(stdin)= d6fce5e7e3039c58860e4fb3f78844b9

To make sure both the stdin value matches.


10] Verify that you have downloaded the correct SSL Certificate:

[root@quickfixlinux tls]# openssl x509 -subject -dates -noout -in certificate_file              

subject= /C=SG/L=Singapore/O=NCS Pte Ltd/CN=www.quickfixlinux.com

notBefore=Mar 20 09:15:39 2018 GMT

notAfter=Feb 27 09:45:38 2019 GMT


11] Once you got the external certificate, prepare to replace it into the SSL configuration file :

Look for the 3 Lines below:

# vim /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/localhost.crt              -> Server Certificate ( External cert)

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key   -> Server Private Key

SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt  -> Intermediate Cert


12] Once done, restart the httpd service.

# service httpd restart


You may also like...

Leave a Reply