UPDATED 2\/4\/2021
\nUPDATE 4\/16\/2021 – Added commands to<\/p>\n
Below are the basic steps to use OpenSSL and create a TLS certificate request using a config file and a private key. You will first create\/modify the below config file to generate a private key. Then you will create a .csr. This CSR is the file you will submit to a certificate authority to get back the public cert. Once you have the private key and the resulting public certificate, you will chain them all together (including the CA’s public certs) to create a certificate that you will install on a linux server, load balancer or even convert it to a .pfx file for windows. I’ve been doing this for years and it works very well.<\/p>\n
Some gotcha’s… If you are creating wildcard certificates, you always have to have the root domain and the *.domain in the certificate.
\nFor example, if you wan to create a certificate with domaina.com and domainb.com, and support all names like www.domaina.com, abc.domaina.com AND domaina.com, you need to have both the *.domaina.com and domain.com in the SAN area of the config file. Look carefully at the file below. you will see both in it.<\/p>\n
Modify this config file to use to create your certificate.<\/p>\n
## Start of File\n# OpenSSL configuration to generate a new key with signing requst for a x509v3\n# multidomain certificate\n[ req ]\ndefault_bits = 2048\ndefault_md = sha256\ndefault_keyfile = key.pem\nprompt = no\nencrypt_key = no\n# base request\ndistinguished_name = req_distinguished_name\n# extensions\nreq_extensions = v3_req\n# distinguished_name\n[ req_distinguished_name ]\ncountryName = \"US\" # C=\nstateOrProvinceName = \"Minnesota\" # ST=\nlocalityName = \"Your City\" # L=\norganizationName = \"Your Company\" # O=\ncommonName = \"domain.com\" # CN=\n# req_extensions\n[ v3_req ]\n# The subject alternative name extension allows various literal values to be\n# included in the configuration file\n# http:\/\/www.openssl.org\/docs\/apps\/x509v3_config.html\nsubjectAltName = DNS:*.domain.com,DNS:domain.com,DNS:domainb.com,DNS:*domainb.com # multidomain certificate\n## End of File<\/pre>\nGenerate a key for the new certificate.<\/h2>\n
You could re-use a key but that’s not so secure so always generate a new key every time!<\/p>\n
openssl genrsa -out <private key file name>.key 2048<\/pre>\nCreate the CSR request.<\/h2>\n
Use the .cnf you created in step 1<\/p>\n
openssl req -new -key <private key file name>.key -config <DomainName>.cnf -out <csr file name>.csr<\/pre>\nSubmit your CSR<\/h2>\n
Open your .csr file in a text editor (Never use Notepad) and copy the contents. Then submit it to an authority (internal for our sake) and then down load your certificate\u00a0as a base64. If you are going to submit it to an online authority, use a repeatable authority like DigiCert. Don’t use Thawte or Symantec. They are going away soon.<\/p>\n
Merge your public key<\/h2>\n
Merge your public key, intermediate cert, root cert, and private key (in that order) and save it as a .pem file<\/p>\n
NOTE: if this is for a public website, you don’t need to add the root cert to the chain. The browsers computers should have that and it’s trusted more if you leave the root out.<\/em><\/strong><\/p>\n
Should look like this (replace your public key and private keys at the top and bottom)<\/p>\n
-----BEGIN CERTIFICATE-----\n### Replace me with the certificate you received from the authority ###\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n### INTERMEDIATE CERT HERE ###\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n### ROOT CERT HERE ###\n-----END CERTIFICATE-----\n-----BEGIN RSA PRIVATE KEY-----\n### replace me with your .key file ###\n-----END RSA PRIVATE KEY-----<\/pre>\nIf necessary, convert your cert from PEM to PFX<\/h2>\n
If you need to convert your cert from .PEM to .PFX. If you dont need a friendlyname, omit that:<\/p>\n
openssl pkcs12 -export -out CERTNAME.pfx -in CERTNAME.pem -name \"friendlyname\"<\/pre>\nCopy your certificate over to your server and install it. You can either install it using the Certificates MMC or import it into IIS. If you are using a .pem file and working on linux, you can import the cert into your load balancer of linux server of choice.<\/p>\n","protected":false},"excerpt":{"rendered":"
UPDATED 2\/4\/2021 UPDATE 4\/16\/2021 – Added commands to Below are the basic steps to use OpenSSL and create a TLS certificate request using a config file and a private key. You will first create\/modify the below config file to generate a private key. Then you will create a .csr. This CSR is the file you […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[67,92,93],"tags":[101,99,100],"class_list":["post-230","post","type-post","status-publish","format-standard","hentry","category-certificates","category-pci","category-security","tag-openssl","tag-san-certificates","tag-wildcard-certificates"],"aioseo_notices":[],"yoast_head":"\n
How to Create TLS Certificates using OpenSSL with wildcards in the SAN - System Admin [RESOLVED]<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Create TLS Certificates using OpenSSL with wildcards in the SAN - System Admin [RESOLVED]\" \/>\n<meta property=\"og:description\" content=\"UPDATED 2\/4\/2021 UPDATE 4\/16\/2021 – Added commands to Below are the basic steps to use OpenSSL and create a TLS certificate request using a config file and a private key. You will first create\/modify the below config file to generate a private key. Then you will create a .csr. This CSR is the file you […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/\" \/>\n<meta property=\"og:site_name\" content=\"System Admin [RESOLVED]\" \/>\n<meta property=\"article:published_time\" content=\"2017-11-30T23:02:52+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-04-16T16:46:31+00:00\" \/>\n<meta name=\"author\" content=\"Ed Rockwell\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@EddieRock\" \/>\n<meta name=\"twitter:site\" content=\"@EddieRock\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ed Rockwell\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/\"},\"author\":{\"name\":\"Ed Rockwell\",\"@id\":\"https:\/\/www.edrockwell.com\/blog\/#\/schema\/person\/e181b98aceccea720abee0c25bbfbcd7\"},\"headline\":\"How to Create TLS Certificates using OpenSSL with wildcards in the SAN\",\"datePublished\":\"2017-11-30T23:02:52+00:00\",\"dateModified\":\"2021-04-16T16:46:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/\"},\"wordCount\":491,\"commentCount\":0,\"keywords\":[\"OpenSSL\",\"SAN Certificates\",\"Wildcard Certificates\"],\"articleSection\":[\"Certificates\",\"PCI\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/\",\"url\":\"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/\",\"name\":\"How to Create TLS Certificates using OpenSSL with wildcards in the SAN - System Admin [RESOLVED]\",\"isPartOf\":{\"@id\":\"https:\/\/www.edrockwell.com\/blog\/#website\"},\"datePublished\":\"2017-11-30T23:02:52+00:00\",\"dateModified\":\"2021-04-16T16:46:31+00:00\",\"author\":{\"@id\":\"https:\/\/www.edrockwell.com\/blog\/#\/schema\/person\/e181b98aceccea720abee0c25bbfbcd7\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.edrockwell.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to Create TLS Certificates using OpenSSL with wildcards in the SAN\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.edrockwell.com\/blog\/#website\",\"url\":\"https:\/\/www.edrockwell.com\/blog\/\",\"name\":\"System Admin [RESOLVED]\",\"description\":\"How To: Make My DevOps Life Easier\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.edrockwell.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.edrockwell.com\/blog\/#\/schema\/person\/e181b98aceccea720abee0c25bbfbcd7\",\"name\":\"Ed Rockwell\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/dea3152d7acd78aa28d280207c33f7ec516731ece9a54249cbbbebcfffc341e0?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/dea3152d7acd78aa28d280207c33f7ec516731ece9a54249cbbbebcfffc341e0?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/dea3152d7acd78aa28d280207c33f7ec516731ece9a54249cbbbebcfffc341e0?s=96&d=mm&r=g\",\"caption\":\"Ed Rockwell\"},\"sameAs\":[\"http:\/\/www.therockwells.net\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Create TLS Certificates using OpenSSL with wildcards in the SAN - System Admin [RESOLVED]","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/","og_locale":"en_US","og_type":"article","og_title":"How to Create TLS Certificates using OpenSSL with wildcards in the SAN - System Admin [RESOLVED]","og_description":"UPDATED 2\/4\/2021 UPDATE 4\/16\/2021 – Added commands to Below are the basic steps to use OpenSSL and create a TLS certificate request using a config file and a private key. You will first create\/modify the below config file to generate a private key. Then you will create a .csr. This CSR is the file you […]","og_url":"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/","og_site_name":"System Admin [RESOLVED]","article_published_time":"2017-11-30T23:02:52+00:00","article_modified_time":"2021-04-16T16:46:31+00:00","author":"Ed Rockwell","twitter_card":"summary_large_image","twitter_creator":"@EddieRock","twitter_site":"@EddieRock","twitter_misc":{"Written by":"Ed Rockwell","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/#article","isPartOf":{"@id":"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/"},"author":{"name":"Ed Rockwell","@id":"https:\/\/www.edrockwell.com\/blog\/#\/schema\/person\/e181b98aceccea720abee0c25bbfbcd7"},"headline":"How to Create TLS Certificates using OpenSSL with wildcards in the SAN","datePublished":"2017-11-30T23:02:52+00:00","dateModified":"2021-04-16T16:46:31+00:00","mainEntityOfPage":{"@id":"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/"},"wordCount":491,"commentCount":0,"keywords":["OpenSSL","SAN Certificates","Wildcard Certificates"],"articleSection":["Certificates","PCI","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/","url":"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/","name":"How to Create TLS Certificates using OpenSSL with wildcards in the SAN - System Admin [RESOLVED]","isPartOf":{"@id":"https:\/\/www.edrockwell.com\/blog\/#website"},"datePublished":"2017-11-30T23:02:52+00:00","dateModified":"2021-04-16T16:46:31+00:00","author":{"@id":"https:\/\/www.edrockwell.com\/blog\/#\/schema\/person\/e181b98aceccea720abee0c25bbfbcd7"},"breadcrumb":{"@id":"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.edrockwell.com\/blog\/how-to-create-ssl-certificates-using-openssl-with-wildcards-in-the-san\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.edrockwell.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How to Create TLS Certificates using OpenSSL with wildcards in the SAN"}]},{"@type":"WebSite","@id":"https:\/\/www.edrockwell.com\/blog\/#website","url":"https:\/\/www.edrockwell.com\/blog\/","name":"System Admin [RESOLVED]","description":"How To: Make My DevOps Life Easier","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.edrockwell.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.edrockwell.com\/blog\/#\/schema\/person\/e181b98aceccea720abee0c25bbfbcd7","name":"Ed Rockwell","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/dea3152d7acd78aa28d280207c33f7ec516731ece9a54249cbbbebcfffc341e0?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/dea3152d7acd78aa28d280207c33f7ec516731ece9a54249cbbbebcfffc341e0?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/dea3152d7acd78aa28d280207c33f7ec516731ece9a54249cbbbebcfffc341e0?s=96&d=mm&r=g","caption":"Ed Rockwell"},"sameAs":["http:\/\/www.therockwells.net"]}]}},"_links":{"self":[{"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/posts\/230","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/comments?post=230"}],"version-history":[{"count":10,"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/posts\/230\/revisions"}],"predecessor-version":[{"id":281,"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/posts\/230\/revisions\/281"}],"wp:attachment":[{"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/media?parent=230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/categories?post=230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.edrockwell.com\/blog\/wp-json\/wp\/v2\/tags?post=230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}