💾 Archived View for edwardtefft.com › posts › 2021-03-06-self-signed-keys.gmi captured on 2021-12-04 at 18:04:22. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

➡️ Next capture (2024-03-21)

-=-=-=-=-=-=-

Self-signing keys for multiple names

Published 2021-03-06

The problem

I wanted my self-signed certificate to be good for edwardtefft.com AND www.edwardtefft.com.

The solution

First, openssl.cnf needed to be edited, but that was the only inconvenience. Note that I use Slackware Linux, so your distribution may keep openssl.cnf somewhere else and with different content.

Edit /etc/ssl/openssl.cnf. Uncomment

req_extensions = v3_req

Also, under the [ v3_req ] section, make sure it says:

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = edwardtefft.com
DNS.2 = www.edwardtefft.com

Then, generate a key and certificate with the following command:

openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout gemkey.pem -out gemcert.pem -extensions 'v3_req'

Most questions it asks can be left blank. Note that a period '.' will leave a field blank. For reference, these are the only questions I answered:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Kentucky
...
Common Name (e.g. server FQDN or YOUR name) []:edwardtefft.com
Email Address []:tefftedward@yahoo.com

After those are generated, you can check that your Subject Alternative Names (SANs) are correct by running:

openssl x509 -in gemcert.pem -noout -text

There should be a section in the output that says:

X509v3 Subject Alternative Name:
   DNS:edwardtefft.com, DNS:www.edwardtefft.com

Sources:

https://tech.lanesnotes.com/2009/04/creating-ssl-certificates-with-multiple.html

https://support.citrix.com/article/CTX135602

Back