I find it hard to remember a period in my whole life in which I issued, reissued, renewed and revoked so many certificates.
And while that's usually fun and interesting, there's one thing I often needed and never figured out, till a few days ago, which is how to generate CSRs (Certificate Signing Requests) with AlternativeNames (eg: including www and non-www domain in the same cert) with a one-liner command.
This need is due to the fact that some certificate providers (like GeoTrust) don't cover the parent domain when requesting a new certificate (eg: CSR for www.endpoint.com won't cover endpoint.com), unless you specifically request so.
Luckily that's not the case with other Certificate products (like RapidSSL) which already offer this feature built-in.
This scenario is starting to be problematic more often since we're seeing a growing number of customers supporting sites with HTTPs connections covering both www and "non-www" subdomains for their site.
Luckily the solution is pretty simple and straight-forward and the only requirement is that you should type the CSR subject on the command line directly, basically without the use of the interactive question mechanism.
If you managed to understand how an SSL certificate works this shouldn't be a huge problem, anyway just as a recap here's the list of the meaning for the common Subject entries you'll need:
- C => Country
- ST => State
- L => City
- O => Organization
- OU => Organization Unit
- CN => Common Name (eg: the main domain the certificate should cover)
- emailAddress => main administrative point of contact for the certificate
So by using the common syntax for OpenSSL subject written via command line you need to specify all of the above (the OU is optional) and add another section called subjectAltName=.>
By adding DNS.n (where n is a sequential number) entries under the "subjectAltName" field you'll be able to add as many additional "alternate names" as you want, even not related to the main domain.
Obviously the first-level parent domain will be covered by most SSL products, unless specified differently.
So here's an example to generate a certificate which will cover www.endpoint.com and endpoint.com:
openssl req -new -key endpoint.com.key -sha256 -nodes -subj '/C=US/ST=New York/L=New York/O=End Point/OU=Hosting Team/CN=www.endpoint.com/ emailAddressemail@example.com/ subjectAltName=DNS.1=endpoint.com' > www.endpoint.com.csr
So here's another example with multiple DNS.n entries:
openssl req -new -key endpoint.com.key -sha256 -nodes -subj '/C=US/ST=New York/L=New York/O=End Point/OU=Hosting Team/CN=www.endpoint.com/ emailAddressfirstname.lastname@example.org/ subjectAltName=DNS.1=endpoint.com, DNS.2=usually-not-convered-domain.endpoint.com, DNS.3=multiple-domains-crt.endpoint.com' > www.endpoint.com.csr
warning: we had to split the command into multiple lines to make it readable, but you should keep it all on one line, otherwise you may lose some Subject details.
Now with that I'm able to generate proper multi-domain CSRs effectively.
Please note the use of the -sha256 to use the SHA256 algorithm to sign the CSR that, while not required, is appreciated considered the last round of concerning "attentions" to SHA1.
As one of our readers correctly pointed out, the certificate generate with this method won't comply with the X509v3 extensions.
Most of the time this is not a problem as we found that many big certificate authorities will be happy with the generated certificate and sign it for the right domains (NameCheap, GoDaddy, GeoTrust) though, just for completeness, be aware that if you need X509v3 compliance you should follow the usual standard configuration-file-based method.