Table of contents :
SSL wildcard & SAN certificates
CN : Common Name
SAN: Subject Alternative Name
Example
Generate a certificate with SAN (Draft notes)
TEST
SSL wildcard & SAN certificates
SSL certificate is must associate with a single Server Identity (busylog.net) or multi Server Identities (busylog.net, mail.busylog.net, www.busylog.net …).
Basically there are two places where you can associate Identities (generally hostname of server) to a certificate :
- the Common Name (CN) in Subject Name
- CN is for a single entry only : CN=busylog.net
- the Subject Alternative Name (SAN)
- SAN is multi entries : SAN=DNSName:mail.busylog.net,DNSName:www.busylog.net …
Common Name field in the Subject field of the certificate MUST be used.
Although the use of the Common Name is existing practice,
it is deprecated and Certification Authorities are encouraged to use the dNSName instead.RFC2818
CN=busylog.net
SAN=DNSName:mail.busylog.net,DNSName:www.busylog.net
Certificate has multi Server Identities mail.busylog.net and www.busylog.net (but not busylog.net)
SSL Wildcard
Perhaps you would not list all entries (in case of several hostnames) in this case you can use SSL Wildcard certificate.
Wildcard certificates are useful in all cases you need to have only 1 certificate for a huge number of servers.
For example :
If you have hundreds of front-end hostname (servers exports directly their hostname and SSL is terminated directly on them … example : wmfe001.mail.busylog.net … wmfe150.mail.busylog.net).
If you need to add new servers (hostname) without generate new certificates.
only one certificate to revoke for all servers.
Wildecard is the symbol * and it can be used *.busylog.net as short for :
mail.busylog.net, pop.busylog.net, imap.busylog.net
Wildecard is valid only at a single level sub-domain so *.busylog.net is not short for :
busylog.net, fe01.mail.busylog.net …
CN: Common Name
Subject Name :
| Organization (O) = Busylog | |
| Organizational Unit (OU) = IT Mail Services | Administrative unit |
| Country (C) = IT | Two-letter ISO country code (Italy) |
| State (ST) = Italy | Must be spelled out in full; no abbreviations |
| Locality (L) = Turin | City |
| Common Name (CN) = *.busylog.net |
Common Name is usually (but is not mandatory) a FQDN : www.busylog.net
A certificate with CN=www.busylog.net is valid only for www.busylog.net. This mean that you can access to server using a browser (for example) with https://www.busylog.net … but if you try to access with: https://mail.busylog.net or https://busylog.net the certificate is not valid and browser shows a warning.
CN Wildcard
So you can workout (partially) with wildcard in CN:
CN=*.busylog.net
In this case certificate is valid for : www.busylog.net, mail.busylog.net, pop.busylog.net, imap.busylog.net
But still the certificate is not valid of root domain : busylog.net
SAN: Subject Alternative Name
( http://en.wikipedia.org/wiki/SubjectAltName )
Using this you can specify list of domains… examples :
SAN {
DSN Name=busylog.net
DSN Name=*.busylog.net
DSN Name=login.mail.busylog.net
IP: 192.168.2.1
}
In this case certificate is valid for : busylog.net, mail.busylog.net, abc.busylog.net, login.mail.busylog.net, 192.168.2.1
Allowed SAN types
email:email specifies an email address.
URI:uri specifies a uniform resource indicator.
DNS:dns specifies a Domain Name System (DNS).
RID:rid specifies a registered ID.
IP:IP specifies an IP address in Internet Protocol version 4 (IPv4) format.
EXAMPLE
| CN | SAN | dom.net | lev2.dom.net | lev2a.dom.net | lev3.lev2.dom.net |
| dom.net | [ not present ] | ||||
| *.dom.net | [ not present ] | ||||
| dom.net | lev2.dom.net | ||||
| dom.net | dom.net lev2.dom.net |
||||
| lev3.lev2.dom.net | dom.net *.dom.net |
||||
| [ whichever ] | dom.net *.dom.net lev3.lev2.dom.net |
Generate a certificate with SAN (Draft notes)
Some versions
[root@localhost ~]# uname -a Linux localhost.localdomain 3.10.0-229.11.1.el7.x86_64 #1 SMP Thu Aug 6 01:06:18 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux [root@localhost ~]# cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) [root@localhost ~]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013
Prepare FileSystem
<BASE> is your test directory such as : /root/TEST cd <BASE> mkdir certificates mkdir keys mkdir requests mkdir configurations
Depending of system :
cp /etc/pki/tls/openssl.cnf ./configurations/openssl-mydom.cnf
or
cp /etc/ssl/openssl.cnf ./configurations/openssl-mydom.cnf
Configure open SSL (modify openssl-mydom.cnf)
vi ./configurations/openssl-mydom.cnf
Note search for req_extensions in openssl-mydom.cnf
[ req ] default_bits = 2048 ... string_mask = utf8only req_extensions = v3_req # The extensions to add to a certificate request
Define subjectAltName (SAN) … lines to add in color GREEN (under keyYsage).
Note search for [ v3_req ] in openssl-mydom.cnf
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @san_mydom
[san_mydom]
DNS.1 = dom.net
DNS.2 = *.dom.net
DNS.3 = leve3.level2.dom.net
Save ./configurations/openssl-mydom.cnf
Certificate Signing Request
openssl req -new -sha256 -subj '/C=IT/ST=Italy/L=Turin/CN=a.b.dom.net' -newkey rsa:2048 -nodes -keyout ./keys/mydom.key -out ./requests/mydom.csr -config ./configurations/openssl-mydom.cnf
Note Private key in folder ./keysNote Request mydom.csr in folder ./requests
Check request
openssl req -in ./requests/mydom.csr -noout -text
Certificate Request: Data: Version: 0 (0x0) Subject: C=IT, ST=Italy, L=Turin, CN=a.b.dom.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a9:8d:54:2e:9e:99:12:45:0e:e1:ac:03:81:2d: ... 1e:77 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:dom.net, DNS:*.dom.net, DNS:leve3.level2.dom.net Signature Algorithm: sha256WithRSAEncryption ....
Selfsign
openssl x509 -req -days 365 -in ./requests/mydom.csr -signkey ./keys/mydom.key -out ./certificates/mydom.crt -extensions v3_req -extfile ./configurations/openssl-mydom.cnf
Note Certificate mydon.crt in folder ./certificates
Check certificate
openssl x509 -in ./certificates/mydom.crt -text -noout
Certificate: Data: Version: 1 (0x0) Serial Number: 14284840978548226292 (0xc63df32f874f78f4) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IT, ST=Italy, L=Turin, CN=a.b.dom.net Validity Not Before: Oct 14 19:04:06 2016 GMT Not After : Oct 14 19:04:06 2017 GMT Subject: C=IT, ST=Italy, L=Turin, CN=a.b.dom.net ...
Generate keystore for tomcat
openssl pkcs12 -export -in ./certificates/mydom.crt -inkey ./keys/mydom.key -out mydom.p12 -name tomcat-mydom
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreType="PKCS12" keystoreFile="/root/TEST/mydom.p12" keystorePass="password" clientAuth="false" sslProtocol="TLS"/>
Test
Subject: C=IT, ST=Italy, L=Turin, CN=a.b.dom.net X509v3 Subject Alternative Name: DNS:dom.net, DNS:*.dom.net, DNS:leve3.level2.dom.net
| Url to Test | What match |
 |
none (CN=a.b.dom.net is not considered) |
 |
none |
 |
none |
 |
DNS:dom.net, DNS:*.dom.net, DNS:leve3.level2.dom.net |
 |
DNS:dom.net, DNS:*.dom.net, DNS:leve3.level2.dom.net |
 |
DNS:dom.net, DNS:*.dom.net, DNS:leve3.level2.dom.net |
 |
DNS:dom.net, DNS:*.dom.net, DNS:leve3.level2.dom.net |
Add Comment