SSL wildcard & SAN certificates

SAN SSL Certificate (TEST URLs)
SAN SSL Certificate (TEST URLs)

Table of contents :
SSL wildcard & SAN certificates
CN : Common Name
SAN:  Subject Alternative Name
Example
Generate a certificate with SAN (Draft notes)
TEST

SSL wildcard & SAN certificates

SSL certificate is must associate with a single Server Identity (busylog.net) or multi Server Identities (busylog.netmail.busylog.net, www.busylog.net ...).
Basically there are two places where you can associate Identities  (generally hostname of server) to a certificate :

  • the Common Name (CN) in Subject Name
    • CN is for  a single entry only : CN=busylog.net
  • the Subject Alternative Name (SAN)
    • SAN is multi entries : SAN=DNSName:mail.busylog.net,DNSName:www.busylog.net ...
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific)
Common Name field in the Subject field of the certificate MUST be used.
Although the use of the Common Name is existing practice,
it is deprecated and Certification Authorities are encouraged to use the dNSName instead.RFC2818
This mean that if certificate contains SAN then the CN is not considered... for example :
 CN=busylog.net
 SAN=DNSName:mail.busylog.net,DNSName:www.busylog.net
Certificate has multi Server Identities mail.busylog.net and www.busylog.net (but not busylog.net)

SSL Wildcard

Perhaps you would not list all entries (in case of several hostnames) in this case you can use SSL Wildcard certificate.
Wildcard certificates are useful in all cases you need to have only 1 certificate for a huge number of servers.
For example :
 If you have hundreds of front-end hostname (servers exports directly their hostname and SSL is terminated directly on them ... example : wmfe001.mail.busylog.net ... wmfe150.mail.busylog.net).
If you need to add new servers (hostname) without generate new certificates.
only one certificate to revoke for all servers.

 Wildecard is the symbol * and it can be used  *.busylog.net as short for :
  mail.busylog.net, pop.busylog.net, imap.busylog.net
 
Wildecard is valid only at a single level sub-domain so *.busylog.net is not short for :
  busylog.net, fe01.mail.busylog.net ...

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.RFC2818

CN: Common Name

Subject Name :

Organization (O) = Busylog
Organizational Unit (OU) = IT Mail Services Administrative unit
Country (C) = IT  Two-letter ISO country code (Italy)
State (ST) = Italy Must be spelled out in full; no abbreviations
Locality (L) = Turin City
Common Name (CN) = *.busylog.net

Common Name is usually (but is not mandatory) a FQDN : www.busylog.net
A certificate with CN=www.busylog.net is valid only for www.busylog.net. This mean that you can access to server using a browser (for example) with https://www.busylog.net ... but if you try to access with: https://mail.busylog.net  or https://busylog.net the certificate is not  valid and browser shows a warning.

CN Wildcard

So you can workout (partially) with wildcard in CN:
  CN=*.busylog.net
In this case certificate is valid for : www.busylog.net,  mail.busylog.net, pop.busylog.net, imap.busylog.net
 But still the certificate is not valid of root domain : busylog.net

SAN:  Subject Alternative Name

http://en.wikipedia.org/wiki/SubjectAltName )

Using this you can specify list of domains… examples :
SAN {
  DSN Name=busylog.net
  DSN Name=*.busylog.net
  DSN Name=login.mail.busylog.net
  IP: 192.168.2.1
}
In this case certificate is valid for : busylog.netmail.busylog.net, abc.busylog.netlogin.mail.busylog.net192.168.2.1
Allowed SAN types

email:email  specifies an email address.
URI:uri      specifies a uniform resource indicator.
DNS:dns      specifies a Domain Name System (DNS).
RID:rid      specifies a registered ID.
IP:IP        specifies an IP address in Internet Protocol version 4 (IPv4) format.

EXAMPLE

CN SAN dom.net lev2.dom.net lev2a.dom.net lev3.lev2.dom.net
dom.net [ not present ]
*.dom.net [ not present ]
dom.net lev2.dom.net
dom.net dom.net
lev2.dom.net
lev3.lev2.dom.net dom.net
*.dom.net
[ whichever ] dom.net
*.dom.net
lev3.lev2.dom.net
 

Generate a certificate with SAN (Draft notes)

Some versions

[root@localhost ~]# uname -a
Linux localhost.localdomain 3.10.0-229.11.1.el7.x86_64 #1 SMP Thu Aug 6 01:06:18 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 

[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)

[root@localhost ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

 Prepare FileSystem

<BASE> is your test directory such as : /root/TEST
cd <BASE>
mkdir  certificates
mkdir  keys
mkdir  requests
mkdir  configurations

Depending of system :

cp /etc/pki/tls/openssl.cnf ./configurations/openssl-mydom.cnf

or

cp /etc/ssl/openssl.cnf  ./configurations/openssl-mydom.cnf

 Configure open SSL (modify openssl-mydom.cnf)

vi ./configurations/openssl-mydom.cnf
Active extension v3 (uncomment req_extensions).
Note search for req_extensions in openssl-mydom.cnf
[ req ]
default_bits = 2048
          ...
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request

Define subjectAltName (SAN) ...  lines to add in color GREEN (under keyYsage).
Note search for [ v3_req ] in openssl-mydom.cnf

[ v3_req ]
# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @san_mydom

[san_mydom]
DNS.1 = dom.net
DNS.2 = *.dom.net
DNS.3 = leve3.level2.dom.net 

Save ./configurations/openssl-mydom.cnf

Certificate Signing Request

openssl req -new  -sha256 -subj '/C=IT/ST=Italy/L=Turin/CN=a.b.dom.net' -newkey rsa:2048 -nodes -keyout ./keys/mydom.key -out ./requests/mydom.csr -config ./configurations/openssl-mydom.cnf
Note Private key in folder ./keys
Note Request mydom.csr in folder ./requests

 

Check request

openssl req -in ./requests/mydom.csr -noout -text
Certificate Request:
   Data:
       Version: 0 (0x0)
       Subject: C=IT, ST=Italy, L=Turin, CN=a.b.dom.net
       Subject Public Key Info:
         Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
              00:a9:8d:54:2e:9e:99:12:45:0e:e1:ac:03:81:2d:
              ...
              1e:77
             Exponent: 65537 (0x10001)
         Attributes:
         Requested Extensions:
           X509v3 Basic Constraints:
                CA:FALSE
           X509v3 Key Usage:
                 Digital Signature, Non Repudiation, Key Encipherment
           X509v3 Subject Alternative Name:
                 DNS:dom.net, DNS:*.dom.net, DNS:leve3.level2.dom.net
      Signature Algorithm: sha256WithRSAEncryption
      ....

Selfsign

openssl x509 -req -days 365 -in ./requests/mydom.csr -signkey ./keys/mydom.key -out ./certificates/mydom.crt -extensions v3_req -extfile ./configurations/openssl-mydom.cnf
Note Certificate mydon.crt in folder ./certificates

 

Check certificate

openssl x509 -in ./certificates/mydom.crt -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 14284840978548226292 (0xc63df32f874f78f4)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IT, ST=Italy, L=Turin, CN=a.b.dom.net
        Validity
             Not Before: Oct 14 19:04:06 2016 GMT
             Not After : Oct 14 19:04:06 2017 GMT
         Subject: C=IT, ST=Italy, L=Turin, CN=a.b.dom.net
         ...

Generate keystore for tomcat

openssl pkcs12 -export -in ./certificates/mydom.crt -inkey ./keys/mydom.key -out mydom.p12 -name tomcat-mydom
 <Connector
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 port="8443" maxThreads="200"
 scheme="https" secure="true" SSLEnabled="true"
 keystoreType="PKCS12" keystoreFile="/root/TEST/mydom.p12" keystorePass="password"
 clientAuth="false" sslProtocol="TLS"/>

Test

Subject: C=IT, ST=Italy, L=Turin, CN=a.b.dom.net
X509v3 Subject Alternative Name:
   DNS:dom.net, DNS:*.dom.net, DNS:leve3.level2.dom.net
Url to Test What match
url5  none (CN=a.b.dom.net is not considered)
url4  none
url6  none
url1 DNS:dom.net, DNS:*.dom.net, DNS:leve3.level2.dom.net
url7 DNS:dom.net, DNS:*.dom.net, DNS:leve3.level2.dom.net
url3 DNS:dom.net, DNS:*.dom.net, DNS:leve3.level2.dom.net
url8  DNS:dom.net, DNS:*.dom.net, DNS:leve3.level2.dom.net
Powered by WP Review