How to Generate and Update SSL SAN Certificate in Linux
What is SAN Certificate?
The Subject Alternative Name (SAN) are also called as multi-domain SSL Certificate, which allows you to identify different domain names or even IP Address with one certificate. SAN Certificates are more flexible in terms. SAN certificate also cover unlimited server license and can be even used for shared hosting environment. Anyone who has more than one website’s can consider SSL SAN Certificate to protect it.
For example, you can secure all these domains with a Single SAN Certificate.
www.quickfixlinux.com
quickfixlinux.com
www.support.quickfixlinux.net
support.quickfixlinux.net
1] Now, let us get into the steps on how to generate the SAN certificate from the server level.
To Create the SAN Cert, we need to add a few things to the <openssl.cnf> file. One would need to tell the openssl to create the CSR that includes the x509 V3 extension and to mention the list of Subject Alternative Names in the CSR file.
2] Locate the <openssl.cnf> file :
[stextbox id=”Default” mode=”css” bwidth=”7″ color=”FFFFFF” ccolor=”000000″ bcolor=”1A52EA” bgcolor=”000000″ bgcolorto=”000000″ image=”null”]
[root@quickfixlinux ~]# locate openssl.cnf
/etc/pki/tls/openssl.cnf
/usr/share/man/man5/openssl.cnf.5ssl.gz [/stextbox]
3] Take a copy of the existing openssl.cnf file before we edit with the changes.
[stextbox id=”Default” mode=”css” bwidth=”7″ color=”FFFFFF” ccolor=”000000″ bcolor=”1A52EA” bgcolor=”000000″ bgcolorto=”000000″ image=”null”]
# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.28Mar18 [/stextbox]
4] Use your favourite editor to edit the openssl.cnf file:
[stextbox id=”Default” mode=”css” bwidth=”7″ color=”FFFFFF” ccolor=”000000″ bcolor=”1A52EA” bgcolor=”000000″ bgcolorto=”000000″ image=”null”]
# vim /etc/pki/tls/openssl.cnf [/stextbox]
Edit the changes as below:
[req]
req_extensions = v3_req [ v3_req ] subjectAltName = @alt_names |
[alt_names] DNS.1 = www.quickfixlinux.com DNS.2 = quickfixlinux.com DNS.3 = www.support.quickfixlinux.net DNS.4 = support.quickfixlinux.net |
That is all save the file and exit.
5] Now, we can create the CSR using the modified openssl.cnf file, whereas, it will be adding the all 4 domains as Subject Alternative Names in the CSR key file.
6] Issue the below openssl command to generate the CSR file with the modified config file:
[stextbox id=”Default” mode=”css” bwidth=”7″ color=”FFFFFF” ccolor=”000000″ bcolor=”1A52EA” bgcolor=”000000″ bgcolorto=”000000″ image=”null”]
# cd /etc/pki/tls/
# openssl req -new -key quickfixlinux.com.key -out quickfixlinux.com.csr -config openssl.cnf [/stextbox]
Whereas:
quickfixlinux.com.key -> Is the private key
quickfixlinux.com.csr -> Is the CSR file
Error message:
I got the below error message while I try to create the private key and the CSR File.
This error message refers to the missing of private key in the desired path. If you are sure of the private key, you want to use, mention the private key path, if not you need to create the new private key for generating the CSR file.
ERROR MESASGE: |
Error opening Private Key quickfixlinux.com.key
139770638227360:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen(‘quickfixlinux.com.key’,’r’) 139770638227360:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: unable to load Private Key |
To overcome this error message, you need to first create the private key and then the CSR file.
6.1] To generate the private Key file for CERT generation:
[stextbox id=”Default” mode=”css” bwidth=”7″ color=”FFFFFF” ccolor=”000000″ bcolor=”1A52EA” bgcolor=”000000″ bgcolorto=”000000″ image=”null”]
# openssl genrsa -des3 -out quickfixlinux.com.key 2048 [/stextbox]
[stextbox id=”Default” mode=”css” bwidth=”7″ color=”FFFFFF” ccolor=”000000″ bcolor=”1A52EA” bgcolor=”000000″ bgcolorto=”000000″ image=”null”]
[root@quickfixlinux tls]# openssl genrsa -des3 -out quickfixlinux.com.key 2048
Generating RSA private key, 2048 bit long modulus
……………………+++
…………………………………………………………………..+++
e is 65537 (0x10001)
Enter pass phrase for quickfixlinux.com.key:
Verifying – Enter pass phrase for quickfixlinux.com.key:
[/stextbox]
Whereas, you can preferred to give your own password for pass phrase.
6.2] Try to list the content to see the private key :
[stextbox id=”Default” mode=”css” bwidth=”7″ color=”FFFFFF” ccolor=”000000″ bcolor=”1A52EA” bgcolor=”000000″ bgcolorto=”000000″ image=”null”]
[root@quickfixlinux tls]# ls -ltr
total 16
drwxr-xr-x. 2 root root 6 May 17 2017 private
lrwxrwxrwx. 1 root root 49 Aug 14 2017 cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
drwxr-xr-x. 2 root root 117 Mar 28 13:08 certs
drwxr-xr-x. 2 root root 74 Mar 28 13:08 misc
-rw-r–r–. 1 root root 11118 Mar 28 13:16 openssl.cnf
-rw-r–r–. 1 root root 1743 Mar 28 15:46 quickfixlinux.com.key
[/stextbox]
6.3] To check the generated key file is working.
[stextbox id=”Default” mode=”css” bwidth=”7″ color=”FFFFFF” ccolor=”000000″ bcolor=”1A52EA” bgcolor=”000000″ bgcolorto=”000000″ image=”null”]
[root@quickfixlinux tls]# openssl rsa -in quickfixlinux.com.key -check
Enter pass phrase for quickfixlinux.com.key:
RSA key ok
writing RSA key
—–BEGIN RSA PRIVATE KEY—–
…..
…..
…..
—–END RSA PRIVATE KEY—–[/stextbox]
7] Now, run the below command to generate the CSR file :
[stextbox id=”Default” mode=”css” bwidth=”7″ color=”FFFFFF” ccolor=”000000″ bcolor=”1A52EA” bgcolor=”000000″ bgcolorto=”000000″ image=”null”]
[root@quickfixlinux tls]# openssl req -new -key quickfixlinux.com.key -out quickfixlinux.com.csr -config openssl.cnf
Enter pass phrase for quickfixlinux.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:SG
State or Province Name (full name) []:Singapore
Locality Name (eg, city) [Default City]:Singapore
Organization Name (eg, company) [Default Company Ltd]:Quickfinxlinux INC
Organizational Unit Name (eg, section) []:QFL
Common Name (eg, your name or your server’s hostname) []:quickfixlinux.com
Email Address []:fixadmin@quickfixlinux.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: [/stextbox]
For the pass phrase, you need to key in the password you have given while generating the private key.
8] To Verify the CSR file is working :
[stextbox id=”Default” mode=”css” bwidth=”7″ color=”FFFFFF” ccolor=”000000″ bcolor=”1A52EA” bgcolor=”000000″ bgcolorto=”000000″ image=”null”]
[root@quickfixlinux tls]# openssl req -noout -text -in quickfixlinux.com.csr
Certificate Request: Data: Version: 0 (0x0) Subject: C=SG, ST=Singapore, L=Singapore, O=Quickfinxlinux INC, OU=QFL, CN=quickfixlinux.com/emailAddress=fixadmin@quickfixlinux.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c4:81:56:67:2a:3a:6e:cc:fe:89:1a:d6:da:23: ef:6e:87:e2:3b:ef:de:ee:d6:08:7e:aa:30:d0:e7: 1f:d1:ae:be:98:6a:04:2f:96:8e:dd:c2:75:2a:af: e1:9d:78:86:8d:0e:92:8e:b3:cf:94:35:b5:4f:8f: 46:7e:87:30:8e:d1:fe:8f:58:4d:f9:86:0c:49:c4: 27:f1:ff:59:36:7d:01:8f:c5:86:00:c2:01:9f:3f: 58:f8:27:c9:2e:b3:5c:7a:94:82:ed:21:1b:93:5f: 62:d0:67:f7:de:4f:35:be:ba:51:93:e6:0b:14:6b: 52:bd:1e:29:31:17:94:36:42:5f:6d:71:ac:ee:21: da:1f:60:88:9d:d5:c0:e9:5a:22:ae:e0:b5:88:5b: 49:56:67:8b:2a:d6:4f:5b:4f:b1:b7:c3:3b:46:c9: 88:cc:17:c0:15:9c:fe:07:d1:a7:7e:66:f1:43:c8: 98:21:80:57:fc:fb:24:ea:b9:cf:0f:d1:80:c5:41: 7d:64:2c:42:af:d3:ce:d0:85:76:ff:3f:e4:67:ea: 3c:64:08:d3:02:c9:1f:89:98:27:27:09:e1:b7:ae: 86:a5:ae:13:5e:f9:b0:e1:55:83:70:5b:71:c6:6d: 42:2d:d3:c5:a9:52:31:26:bb:15:8f:a4:3c:fd:af: 86:d3 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:www.quickfixlinux.com, DNS:quickfixlinux.com, DNS:www.support.quickfixlinux.net, DNS:support.quickfixlinux.net Signature Algorithm: sha256WithRSAEncryption 96:e0:83:45:68:43:37:23:c4:5c:35:f3:30:e5:dc:a4:fa:20: 43:4e:3a:b0:a2:61:98:ef:ca:9e:4d:d7:8b:d9:73:76:6b:d1: 47:d6:0d:f2:b2:3a:e3:6a:5f:6f:33:c9:60:22:9b:2a:30:50: 0a:1c:66:77:c5:70:fd:f5:83:fa:75:87:13:d6:8f:54:2c:ed: 06:62:b9:4f:de:03:59:fe:64:19:67:09:67:5d:95:50:2b:fe: 50:3e:eb:2d:f1:77:ee:c5:66:e1:1e:c5:84:34:7f:ab:0f:d0: 33:52:47:f1:9d:98:b9:9a:9b:c3:4e:f9:04:41:1f:42:e1:a4: 96:c2:14:4f:00:ad:f2:65:25:c7:60:be:32:11:84:fe:a8:d9: c0:26:75:c5:1d:a2:63:e4:c6:64:af:f6:b7:80:96:54:3d:29: bc:d5:29:6b:ed:e5:f7:b8:7a:fe:b0:68:91:ef:c0:b2:9f:38: 75:cf:2a:14:36:a3:93:bc:53:a1:23:0e:18:68:8f:fa:85:25: 9f:7a:b3:d6:ae:29:08:c6:d4:ad:84:c5:a2:10:c8:ea:44:80: 87:cc:ac:e9:d6:ab:5f:33:c1:69:87:4f:8b:7d:7e:e6:9d:ce: f5:27:ac:0d:cd:4e:a1:d7:d1:44:63:ca:2e:c1:e5:d4:1a:b7: 8b:4a:59:e8 |
[/stextbox]
Whereas, you can identify the 4 domains which you have mentioned in the openssl config file has been reflected in your CSR file.
9] To Verify the Server Certificate and the private key matches :
[stextbox id=”Default” mode=”css” bwidth=”7″ color=”FFFFFF” ccolor=”000000″ bcolor=”1A52EA” bgcolor=”000000″ bgcolorto=”000000″ image=”null”]
[root@quickfixlinux tls]# openssl rsa -modulus -noout -in /etc/pki/tls/private/quickfixlinux.com.key | openssl md5
Enter pass phrase for /etc/pki/tls/private/ quickfixlinux.com.key:
(stdin)= d6fce5e7e3039c58860e4fb3f78844b9
[root@quickfixlinux tls]# openssl x509 -modulus -noout -in /etc/pki/tls/certs/ServerCertificate.crt | openssl md5
(stdin)= d6fce5e7e3039c58860e4fb3f78844b9
[/stextbox]
To make sure both the stdin value matches.
10] Verify that you have downloaded the correct SSL Certificate:
[stextbox id=”Default” mode=”css” bwidth=”7″ color=”FFFFFF” ccolor=”000000″ bcolor=”1A52EA” bgcolor=”000000″ bgcolorto=”000000″ image=”null”]
[root@quickfixlinux tls]# openssl x509 -subject -dates -noout -in certificate_file
subject= /C=SG/L=Singapore/O=NCS Pte Ltd/CN=www.quickfixlinux.com
notBefore=Mar 20 09:15:39 2018 GMT
notAfter=Feb 27 09:45:38 2019 GMT
[/stextbox]
11] Once you got the external certificate, prepare to replace it into the SSL configuration file :
Look for the 3 Lines below:
[stextbox id=”Default” mode=”css” bwidth=”7″ color=”FFFFFF” ccolor=”000000″ bcolor=”1A52EA” bgcolor=”000000″ bgcolorto=”000000″ image=”null”]
# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/localhost.crt -> Server Certificate ( External cert)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key -> Server Private Key
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt -> Intermediate Cert
[/stextbox]
12] Once done, restart the httpd service.
[stextbox id=”Default” mode=”css” bwidth=”7″ color=”FFFFFF” ccolor=”000000″ bcolor=”1A52EA” bgcolor=”000000″ bgcolorto=”000000″ image=”null”]
# service httpd restart [/stextbox]