Code, Docs & Tools
Apache: how to create a multi-domain SSL certificate
By defult, an SSL certificate is valid for only a single domain name.
Using wildcards, you can match all the subdomains with a single certificate. However, a wildcard certificate is valid only for the subdomains, and not for the main domain: so, a certificate for *.example.com is valid for www.example.com, foo.example.com and bar.example.com, but not for example.com.
If you need to match both the main domain and subdomains, or even different domains (i.e. example.com and example.net), you need a multi-domain SSL certificate.
• See how to create a single-domain self-signed SSL certificate
How to create the multi-domain SSL certificate
To create the multi-domain SSL certificate you need the openssl libraries and application on your PC.
Basically, the commands to create a multi-domain SSL certificate are almost the same to create a single-domain certificate.
In this case it's required to generate a Certificate Signing Request (CSR) using a customized version of the OpenSSL configuration file, including in it the list of domain names (SubjectAltName) and, optionally, IP addresses.
Customize the openssl.conf file
Make a copy of the openssl.conf file (usually located in /etc/ssl/openssl.cnf) into the working directory. You can name this file openssl_copy.cnf, for example.
Then open the new file with a text editor and search for the [req] section, and uncomment the req_extensions line removing the hash (#) on the first column:
[ req ] req_extensions = v3_req # The extensions to add to a certificate request
The search for the [v3_req] section and add the subjectAltName parameter:
[ v3_req ] subjectAltName = @alt_names
Fianlly, add at the end of the file a new section [alt_names] that contains all the domain names and/or IP addresses you want to include in the SSL certificate:
[ alt_names ] DNS.1 = example.com DNS.2 = www.example.com DNS.3 = *.third.example.com DNS.4 = example.net DNS.5 = *.example.net IP.1 = 22.214.171.124 IP.2 = 126.96.36.199
In this example, the SSL certificate will be valid for example.com, www.example.com, all the subdomains of third.example.com (but not for third.example.com itself), and example.net including all its subdomains (only the thrid-levels).
The certificate will be valid also for IP addresses 188.8.131.52 and 184.108.40.206: it could be useful if the server is accessible directly via the IP address, instead of using a domain name.
Create the Certificate Signing Request (CSR)
Now you can create the key and the CSR file:
$ openssl req -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr -config openssl_copy.cnf Generating a 2048 bit RSA private key ....................................................................+++ .................................................................................................................+++ writing new private key to 'example.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:England Locality Name (eg, city) :London Organization Name (eg, company) [Internet Widgits Pty Ltd]:WizLab Organizational Unit Name (eg, section) :IT Common Name (e.g. server FQDN or YOUR name) :www.example.com Email Address :email@example.com
This will create a 2048-bits key: if you need longer keys, change rsa:2048 with the value you prefer.
You can verify the CSR file content to be sure the multiple domain names have been included:
$ openssl req -text -noout -in example.com.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=GB, ST=England, L=London, O=WizLab, OU=IT, CN=www.example.com/emailAddressfirstname.lastname@example.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:.......[content removed]...........:8c Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:example.com, DNS:www.example.com, DNS:example.net, DNS:*.example.net, IP Address:220.127.116.11, IP Address:18.104.22.168 Signature Algorithm: sha256WithRSAEncryption 9c:.........[content removed]..............:0a
Fianally, you can create the self-signed multi-domain SSL certificate:
$ openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt -extensions v3_req -extfile openssl_copy.cnf Signature ok subject=/C=GB/ST=England/L=London/O=WizLab/OU=IT/CN=www.example.com/emailAddressemail@example.com Getting Private key
The last step is the virtual host configuration on Apache:
<VirtualHost 22.214.171.124:443> ServerName www.example.com DocumentRoot /www ErrorLog logs/www.example.com-error.log CustomLog logs/www.example.com-access.log combined SSLEngine on SSLCertificateFile certs/example.com.crt SSLCertificateKeyFile certs/example.com.key </VirtualHost>
You can then restart Apache to make the changes effective.