Code, Docs & Tools

Apache: how to create a multi-domain SSL certificate

Introduction

By defult, an SSL certificate is valid for only a single domain name.

Using wildcards, you can match all the subdomains with a single certificate. However, a wildcard certificate is valid only for the subdomains, and not for the main domain: so, a certificate for *.example.com is valid for www.example.com, foo.example.com and bar.example.com, but not for example.com.

If you need to match both the main domain and subdomains, or even different domains (i.e. example.com and example.net), you need a multi-domain SSL certificate.

Note:
• See how to create a single-domain self-signed SSL certificate

How to create the multi-domain SSL certificate

To create the multi-domain SSL certificate you need the openssl libraries and application on your PC.

Basically, the commands to create a multi-domain SSL certificate are almost the same to create a single-domain certificate.

In this case it's required to generate a Certificate Signing Request (CSR) using a customized version of the OpenSSL configuration file, including in it the list of domain names (SubjectAltName) and, optionally, IP addresses.

Customize the openssl.conf file

Make a copy of the openssl.conf file (usually located in /etc/ssl/openssl.cnf) into the working directory. You can name this file openssl_copy.cnf, for example.

Then open the new file with a text editor and search for the [req] section, and uncomment the req_extensions line removing the hash (#) on the first column:

[ req ]
req_extensions = v3_req # The extensions to add to a certificate request

The search for the [v3_req] section and add the subjectAltName parameter:

[ v3_req ]
subjectAltName = @alt_names

Fianlly, add at the end of the file a new section [alt_names] that contains all the domain names and/or IP addresses you want to include in the SSL certificate:

[ alt_names ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = *.third.example.com
DNS.4 = example.net
DNS.5 = *.example.net
IP.1 = 1.2.3.4
IP.2 = 5.6.7.8

In this example, the SSL certificate will be valid for example.com, www.example.com, all the subdomains of third.example.com (but not for third.example.com itself), and example.net including all its subdomains (only the thrid-levels).

The certificate will be valid also for IP addresses 1.2.3.4 and 5.6.7.8: it could be useful if the server is accessible directly via the IP address, instead of using a domain name.

Create the Certificate Signing Request (CSR)

Now you can create the key and the CSR file:

$ openssl req -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr -config openssl_copy.cnf
Generating a 2048 bit RSA private key
....................................................................+++
.................................................................................................................+++
writing new private key to 'example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:England
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WizLab
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:john@example.com

This will create a 2048-bits key: if you need longer keys, change rsa:2048 with the value you prefer.

You can verify the CSR file content to be sure the multiple domain names have been included:

$ openssl req -text -noout -in example.com.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=GB, ST=England, L=London, O=WizLab, OU=IT, CN=www.example.com/emailAddress=john@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:.......[content removed]...........:8c
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:example.com, DNS:www.example.com, DNS:example.net, DNS:*.example.net, IP Address:1.2.3.4, IP Address:5.6.7.8
    Signature Algorithm: sha256WithRSAEncryption
         9c:.........[content removed]..............:0a

Fianally, you can create the self-signed multi-domain SSL certificate:

$ openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt -extensions v3_req -extfile openssl_copy.cnf
Signature ok
subject=/C=GB/ST=England/L=London/O=WizLab/OU=IT/CN=www.example.com/emailAddress=john@example.com
Getting Private key

Apache configuration

The last step is the virtual host configuration on Apache:

<VirtualHost 1.2.3.4:443>
  ServerName www.example.com
  DocumentRoot /www
  ErrorLog logs/www.example.com-error.log
  CustomLog logs/www.example.com-access.log combined
  SSLEngine on
  SSLCertificateFile certs/example.com.crt
  SSLCertificateKeyFile certs/example.com.key
</VirtualHost>

You can then restart Apache to make the changes effective.