Howto create a certificate request with subjectAltNames with OpenSSL on Windows

By ramon
March 8, 2009
0

Sometimes you host multiple websites on one machine on one ip address. Because the way SSL works you can have only one certificate on one ip address + port combination and then you have a problem. One solution is to host all websites on one host(name), the other is creating an SSL certificate that contains multiple hostnames. Problem is that you cannot create such a certificate from within IIS and this is where this article is for.

Download and install OpenSSL for Windows at Shining Light

  1. Create a private key for your certificate: openssl genrsa 2048 >multicert.key
  2. Create a configuration file with your certificate data
# -------------- BEGIN custom multicert.cnf -----
HOME = .
oid_section = new_oids
[ new_oids ]
[ req ]
default_days = 730
distinguished_name = req_distinguished_name
encrypt_key = no
string_mask = nombstr
req_extensions = v3_req # Extensions to add to certificate request
[ req_distinguished_name ]
commonName              = Your nice common name
commonName_default      = www.mydomain.com
commonName_max = 64
[ v3_req ]
subjectAltName=DNS:ftp.mydomain.com,DNS:blog.mydomain.com,DNS:*.mydomain.com
# -------------- END custom openssl.cnf -----

 

  1. Create a certificate request: openssl req -new -key multicert.key -out multicert.csr -config multicert.cfg
  2. Submit your certificate request to your CA (I often use www.cacert.org)
  3. Save the CA certificate request response to a file multicert.cer
  4. Create a PFX file that contains both the public and private key: openssl pkcs12 -export -out multicert.pfx -in multicert.cer -inkey multicert.key

Note that I used the same domain name for all entries and only changed the subdomains but I could just as easily used different domainnames as long as you are allowed to use those domainnames according to how you are registered at the CA that you are going to use.

And voila there you have your PFX file that can be loaded by IIS and be used for several websites that match the included hostnames on one ip adress + port combination.

Configure hostheaders for SSL

You still need to add the correct hostheader on each website on the commandline as this cannot be done from within the management console.

IIS6

cscript.exe adsutil.vbs set /w3svc/{site identifier}/AccessSSL TRUE

Where {site identifier} is the id/number  of the website which you can see when you click the “Websites” node in the IIS6 management console. Click here for detailed instructions for IIS6.

IIS7

appcmd set site /site.name:"MySite V2"/+bindings.[protocol='https',bindingInformation='*:443:sitev2.mysite.com']

Instructions for IIS7

Comments: 0

Leave a Reply

Your email address will not be published. Required fields are marked *

  • Recent Posts
  • Recent Comments
  • Archives
  • Categories
  • Meta