DZone
Performance Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Performance Zone > OpenSSL Certificate With subjectAltName One-Liner

OpenSSL Certificate With subjectAltName One-Liner

See how to create a SelfSigned OpenSSL certificate on one line which contains subjectAltName(s).

Jonathan Kamke user avatar by
Jonathan Kamke
·
Jun. 16, 16 · Performance Zone · Tutorial
Like (1)
Save
Tweet
7.18K Views

Join the DZone community and get the full member experience.

Join For Free

To create a SelfSigned OpenSSL certificate on one line which contains subjectAltName(s) you must use -extensions and -config as follows.

openssl req \
  -newkey rsa:4096 \
  -days 3650 \
  -nodes \
  -x509 \
  -subj "/C=US/ST=Distributed/L=Cloud/O=Cluster/CN=*.api-scispike.com" \
  -extensions SAN \
  -config <( cat $( [[ "Darwin" -eq "$(uname -s)" ]]  && echo /System/Library/OpenSSL/openssl.cnf || echo /etc/ssl/openssl.cnf  ) \
    <(printf "[SAN]\nsubjectAltName='DNS.1:*.api-scispike.com,DNS.2:api.scispike.com,DNS.3:app.scispike.com'")) \
  -keyout private_key.pem \
  -out server.crt

Looking at the output of x509 you should be able to see X509v3 extensions indicating our success.

$ openssl x509 -noout -certopt no_sigdump,no_pubkey -text -in server.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b1:93:3d:ed:5f:48:64:b4
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Distributed, L=Cloud, O=Cluster, CN=*.api-scispike.com
        Validity
            Not Before: Jun 11 00:25:48 2016 GMT
            Not After : Jun  9 00:25:48 2026 GMT
        Subject: C=US, ST=Distributed, L=Cloud, O=Cluster, CN=*.api-scispike.com
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:*.api-scispike.com, DNS:api.scispike.com, DNS:app.scispike.com

I came up with this solution by piecing together man pages and random google result. I was surprised at how many incomplete and inaccurate answers were out there. What may have been more surprising was the complete lack of a full intact solution.

Some examples simply output csrs or require creating larger portions of openssl.cnf. The worst were examples which appended subjectAltName to the subject. They look like they are going to work but then don't.

Inspiration for my approach came from this nearly complete answer at StackExchange: Provide subjectAltName to openssl directly on command line. Buried near the bottom is a partial example (which i originally missed) which indicates -extensions rather than -reqexts. This is rather an important detail considering we are trying to make a certificate not a csr.

OpenSSL

Published at DZone with permission of Jonathan Kamke, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Debugging Deadlocks and Race Conditions
  • Why Great Money Doesn’t Retain Great Devs w/ Stack Overflow, DataStax & Reprise
  • Modern REST API Design Principles and Rules
  • Application Scalability — How To Do Efficient Scaling
Comments

Performance Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo