HOW TO: Create SSL SAN Certificate

Apologies on the minimalistic destructions.  But this is how I do it using OpenSSL and Linux.

SSL SAN Certificates are required when you want to assign multiple SSL sites to both a single IP address and single SSL certificate.

# Copy the crap needed to your own ~
cp /etc/pki/tls/openssl.cnf ~/certwork
cp /etc/ca.* ~/certwork
vi ~/certwork/openssl.cnf

#Uncomment the following
req_extensions = v3_req

#Add Subject Alternate Names
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = myaccount.uat.austar.com.au
DNS.2 = tci.uat.austar.com.au
DNS.3 = imagelibrary.uat.austar.com.au
DNS.4 = onlinetv.uat.austar.com.au
DNS.5 = tvguide.uat.austar.com.au
[ v3_ca ]

# Create the certificate request

openssl req -new -config ~/certwork/openssl.cnf -key ~/certwork/ca.key -out gol-uatnet1.csr

# Get warm and fuzzy with certificate request confirming it contains your ALT names

openssl req -text -noout -in gol-uatnet1.csr

# Sign the certificate

openssl x509 -req -days 365 -extfile ~/certwork/openssl.cnf -extensions v3_req -in gol-uatnet1.csr -CA ~/certwork/ca.crt -CAkey ~/certwork/ca.key -CAcreateserial -out gol-uatnet1.cert

# Windows sucks when dealing with SAN certs so you need to create the following

openssl pkcs12 -export -in ~/certwork/gol-uatnet1.cert -inkey ~/certwork/ca.key -out gol-uatnet1.pfx -name "gol-uatnet1"

# Import PFX into Computer Certificate Store

Start -> Run -> mmc [enter]
Add the ‘Certificates’ snap-in
When prompted select the ‘Computer Account’
Expand Certificates -> Personal
Right-click -> All Tasks -> Import

OK, now to assign within IIS6

Create a dummy site or use the default site.
Manually assign the certificate to this initial site.

Due to not being able to add multiple SSL host headers you now need to do the following for your remaining sites.

cscript.exe adsutil.vbs set /w3svc/<identifier value>/SecureBindings ":443:<host.header.value>"

…and there you have it, one IP address, one SSL certificate and one big headache out of the way.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s