SSL wildcard & SAN certificates

SAN SSL Certificate (TEST URLs)
SAN SSL Certificate (TEST URLs)

Table of contents :
SSL wildcard & SAN certificates
CN : Common Name
SAN:  Subject Alternative Name
Generate a certificate with SAN (Draft notes)

SSL wildcard & SAN certificates

SSL certificate is must associate with a single Server Identity ( or multi Server Identities (, …).
Basically there are two places where you can associate Identities  (generally hostname of server) to a certificate :

  • the Common Name (CN) in Subject Name
    • CN is for  a single entry only :
  • the Subject Alternative Name (SAN)
    • SAN is multi entries :,
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific)
Common Name field in the Subject field of the certificate MUST be used.
Although the use of the Common Name is existing practice,
it is deprecated and Certification Authorities are encouraged to use the dNSName instead.RFC2818
This mean that if certificate contains SAN then the CN is not considered… for example :,
Certificate has multi Server Identities and (but not

SSL Wildcard

Perhaps you would not list all entries (in case of several hostnames) in this case you can use SSL Wildcard certificate.
Wildcard certificates are useful in all cases you need to have only 1 certificate for a huge number of servers.
For example :
 If you have hundreds of front-end hostname (servers exports directly their hostname and SSL is terminated directly on them … example : …
If you need to add new servers (hostname) without generate new certificates.
only one certificate to revoke for all servers.

 Wildecard is the symbol * and it can be used  * as short for :,,
Wildecard is valid only at a single level sub-domain so * is not short for :, …

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., * matches but not f*.com matches but not

CN: Common Name

Subject Name :

Organization (O) = Busylog
Organizational Unit (OU) = IT Mail Services Administrative unit
Country (C) = IT  Two-letter ISO country code (Italy)
State (ST) = Italy Must be spelled out in full; no abbreviations
Locality (L) = Turin City
Common Name (CN) = *

Common Name is usually (but is not mandatory) a FQDN :
A certificate with is valid only for This mean that you can access to server using a browser (for example) with … but if you try to access with:  or the certificate is not  valid and browser shows a warning.

CN Wildcard

So you can workout (partially) with wildcard in CN:
In this case certificate is valid for :,,,
 But still the certificate is not valid of root domain :

SAN:  Subject Alternative Name )

Using this you can specify list of domains… examples :
  DSN Name=*
In this case certificate is valid for :, abc.busylog.netlogin.mail.busylog.net192.168.2.1
Allowed SAN types

email:email  specifies an email address.
URI:uri      specifies a uniform resource indicator.
DNS:dns      specifies a Domain Name System (DNS).
RID:rid      specifies a registered ID.
IP:IP        specifies an IP address in Internet Protocol version 4 (IPv4) format.


CN SAN [ not present ]
* [ not present ]
[ whichever ]

Generate a certificate with SAN (Draft notes)

Some versions

[root@localhost ~]# uname -a
Linux localhost.localdomain 3.10.0-229.11.1.el7.x86_64 #1 SMP Thu Aug 6 01:06:18 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 

[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)

[root@localhost ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

 Prepare FileSystem

<BASE> is your test directory such as : /root/TEST
cd <BASE>
mkdir  certificates
mkdir  keys
mkdir  requests
mkdir  configurations

Depending of system :

cp /etc/pki/tls/openssl.cnf ./configurations/openssl-mydom.cnf


cp /etc/ssl/openssl.cnf  ./configurations/openssl-mydom.cnf

 Configure open SSL (modify openssl-mydom.cnf)

vi ./configurations/openssl-mydom.cnf
Active extension v3 (uncomment req_extensions).
Note search for req_extensions in openssl-mydom.cnf
[ req ]
default_bits = 2048
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request

Define subjectAltName (SAN) …  lines to add in color GREEN (under keyYsage).
Note search for [ v3_req ] in openssl-mydom.cnf

[ v3_req ]
# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @san_mydom

DNS.1 =
DNS.2 = *
DNS.3 = 

Save ./configurations/openssl-mydom.cnf

Certificate Signing Request

openssl req -new  -sha256 -subj '/C=IT/ST=Italy/L=Turin/' -newkey rsa:2048 -nodes -keyout ./keys/mydom.key -out ./requests/mydom.csr -config ./configurations/openssl-mydom.cnf
Note Private key in folder ./keys
Note Request mydom.csr in folder ./requests


Check request

openssl req -in ./requests/mydom.csr -noout -text
Certificate Request:
       Version: 0 (0x0)
       Subject: C=IT, ST=Italy, L=Turin,
       Subject Public Key Info:
         Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
             Exponent: 65537 (0x10001)
         Requested Extensions:
           X509v3 Basic Constraints:
           X509v3 Key Usage:
                 Digital Signature, Non Repudiation, Key Encipherment
           X509v3 Subject Alternative Name:
       , DNS:*,
      Signature Algorithm: sha256WithRSAEncryption


openssl x509 -req -days 365 -in ./requests/mydom.csr -signkey ./keys/mydom.key -out ./certificates/mydom.crt -extensions v3_req -extfile ./configurations/openssl-mydom.cnf
Note Certificate mydon.crt in folder ./certificates


Check certificate

openssl x509 -in ./certificates/mydom.crt -text -noout
        Version: 1 (0x0)
        Serial Number: 14284840978548226292 (0xc63df32f874f78f4)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IT, ST=Italy, L=Turin,
             Not Before: Oct 14 19:04:06 2016 GMT
             Not After : Oct 14 19:04:06 2017 GMT
         Subject: C=IT, ST=Italy, L=Turin,

Generate keystore for tomcat

openssl pkcs12 -export -in ./certificates/mydom.crt -inkey ./keys/mydom.key -out mydom.p12 -name tomcat-mydom
 port="8443" maxThreads="200"
 scheme="https" secure="true" SSLEnabled="true"
 keystoreType="PKCS12" keystoreFile="/root/TEST/mydom.p12" keystorePass="password"
 clientAuth="false" sslProtocol="TLS"/>


Subject: C=IT, ST=Italy, L=Turin,
X509v3 Subject Alternative Name:, DNS:*,
Url to Test What match
url5  none ( is not considered)
url4  none
url6  none
url1, DNS:*,
url7, DNS:*,
url3, DNS:*,
url8, DNS:*,
Powered by WP Review