Fortunately both IE and FF support an extension allowing multiple hostnames to be specified in the certificate in addition to the CN (reportedly Java does not support this extension, will need to check). The extension (Subject Alternate Names) is described in RFC 5280.
I've done the following to generate such certificates with openssl:
First, we need to add the extension support in openssl.cnf:
(not sure this is required, supposedly there's a security risk) in the [CA_default] section add:
copy_extensions = copy
in the [req] section add:
req_extensions = v3_req
in the [v3_req] section:
subjectAltName = IP:1.2.3.4,IP:127.0.0.1,DNS:myhost.acme.com,DNS:myhost,DNS:localhost.localdomain,DNS:localhost
Now we can generate a request, careful to include the config file so the extensions are included:
openssl req -config /etc/ssl/openssl.cnf -new -out multi.csr -key server.key
And sign it, again careful to include the config file
openssl x509 -extfile /etc/ssl/openssl.cnf -extensions v3_req -req -days 365 -in /tmp/multi.csr -CA ca.crt -CAkey ca.key -set_serial x -out multi.crt
And that's about it!
No comments:
Post a Comment