How to Generate and Update SSL SAN Certificate in Linux
What is SAN Certificate?
The Subject Alternative Name (SAN) are also called as multi-domain SSL Certificate, which allows you to identify different domain names or even IP Address with one certificate. SAN Certificates are more flexible in terms. SAN certificate also cover unlimited server license and can be even used for shared hosting environment. Anyone who has more than one website’s can consider SSL SAN Certificate to protect it.
For example, you can secure all these domains with a Single SAN Certificate.
1] Now, let us get into the steps on how to generate the SAN certificate from the server level.
To Create the SAN Cert, we need to add a few things to the <openssl.cnf> file. One would need to tell the openssl to create the CSR that includes the x509 V3 extension and to mention the list of Subject Alternative Names in the CSR file.
2] Locate the <openssl.cnf> file :
3] Take a copy of the existing openssl.cnf file before we edit with the changes.
4] Use your favourite editor to edit the openssl.cnf file:
Edit the changes as below:
|subjectAltName = @alt_names|
DNS.1 = www.quickfixlinux.com
DNS.2 = quickfixlinux.com
DNS.3 = www.support.quickfixlinux.net
DNS.4 = support.quickfixlinux.net
That is all save the file and exit.
5] Now, we can create the CSR using the modified openssl.cnf file, whereas, it will be adding the all 4 domains as Subject Alternative Names in the CSR key file.
6] Issue the below openssl command to generate the CSR file with the modified config file:
quickfixlinux.com.key -> Is the private key
quickfixlinux.com.csr -> Is the CSR file
I got the below error message while I try to create the private key and the CSR File.
This error message refers to the missing of private key in the desired path. If you are sure of the private key, you want to use, mention the private key path, if not you need to create the new private key for generating the CSR file.
|Error opening Private Key quickfixlinux.com.key
139770638227360:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen(‘quickfixlinux.com.key’,’r’)
139770638227360:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load Private Key
To overcome this error message, you need to first create the private key and then the CSR file.
6.1] To generate the private Key file for CERT generation:
Whereas, you can preferred to give your own password for pass phrase.
6.2] Try to list the content to see the private key :
6.3] To check the generated key file is working.
7] Now, run the below command to generate the CSR file :
For the pass phrase, you need to key in the password you have given while generating the private key.[/stextbox]
8] To Verify the CSR file is working :
Whereas, you can identify the 4 domains which you have mentioned in the openssl config file has been reflected in your CSR file.
9] To Verify the Server Certificate and the private key matches :
To make sure both the stdin value matches.
10] Verify that you have downloaded the correct SSL Certificate:
11] Once you got the external certificate, prepare to replace it into the SSL configuration file :
Look for the 3 Lines below:
12] Once done, restart the httpd service.