Create self signed certificates with Subject Alternative Names

preview_player
Показать описание
This video explains how to create a self signed certificate with Subject Alternative Names (SAN).

A certificate with Subject Alternative Names is a single certificate supporting multiple Common Names (CN), for example:

This means this single certificate can be used in multiple URLs:

Chrome browsers will issue a warning if your SSL certificate does not specify Subject Alternative Names.

This video assumes that you have installed OpenSSL.

To check if your system has OpenSSL installed, type: openssl version -a

The procedure to create self signed certificates with Subject Alternative names is also documented at:

Warning: Never use self signed certificates in production environments.
It is okay to use it in development or testing environments.

1. Create a 2048 bit Certificate Authority (CA) private key:

2. Create a self signed CA certificate:

3. Create a 2048 bit Certificate Authority (CA) certificate:
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noord-Holland
Locality Name (eg, city) []:Zaandam

Download and modify the server configuration file according to your situation.

[dn]
C=NL
ST=Zaandam
L=Noord-Holland
O=End Point
OU=Research and development

5. Create a server Certificate Signing Request (CSR) and server private key.

Modify the server extension file according to your situation.

Add Subject Alternative Names:
[alt_names]

This common name must be mentioned as one of the Subject Alternative Names.

7. Create the server certificate:

Each issued certificate must contain a unique serial number assigned by the CA.
It must be unique for each certificate given by a given CA.
OpenSSL keeps the used serial numbers on a file.

Always keep the private keys secure:

Recap
We have created our own Certificate Authority (root certificate).
But this CA is not trusted by our system.
Next our CA has created a certificate with SAN.
Trusted CA’s such as Comodo and GoDaddy are trusted because their root certificates are already imported in our system.

In YouTube video “Geth supporting SSL using reverse proxy server” I will be using this self signed certificate to setup a reverse proxy server accessible by:

Check out all my other Ethereum related tutorial videos:

Subscribe to my YouTube channel:

The presentation used in this video tutorial can be found at:

#mobilefish #howto #ethereum
  1. Mobilefish.com
  2. Create self signed certificates with Subject Alternative names
  3. self signed certificates with Subject Alternative names
  4. self signed certificates Subject Alternative names
  5. self signed certificates SAN
  6. ssl certificates SAN
Рекомендации по теме
IIS - How 0:02:05

IIS - How to Create Self Signed SSL Certificate for HTTPS

How to create 0:25:01

How to create a valid self signed SSL Certificate?

How to create 0:11:52

How to create self signed SSL certificate using OpenSSL

How to create 0:14:47

How to create self signed SSL certificate using OpenSSL

Create self-signed certificates 0:04:51

Create self-signed certificates with RouterOS

Create Your Own 0:05:34

Create Your Own SSL Certificate Authority (on Linux)

Quick and Easy 0:12:08

Quick and Easy Local SSL Certificates for Your Homelab!

Create Your Own 0:07:09

Create Your Own SSL Certificate Authority (Windows)

Free Software Testing 1:59:30

Free Software Testing Workshop 4.0

15. How to 0:09:39

15. How to Create a Self Signed Certificate in IIS 10 | Windows Server 2019

Certificates from Scratch 0:21:50

Certificates from Scratch - X.509 Certificates explained

Create & sign 0:13:23

Create & sign SSL/TLS certificates with openssl

OpenSSL Step By 0:11:04

OpenSSL Step By Step Tutorial | How to Generate Keys, Certificates & CSR Using OpenSSL

How to create 0:14:35

How to create a CA-signed SSL certificate

Server Certificates - 0:14:12

Server Certificates - Self Signed and LetsEncrypt Certificates for the LAN

Create self signed 0:09:55

Create self signed certificates with Subject Alternative Names

Self Signed Certificates 0:05:12

Self Signed Certificates | Top Docs with Jay LaCroix

Create and sign 0:22:15

Create and sign certs with OpenSSL

Openssl - How 0:05:55

Openssl - How to create self signed certificate

How to Create 0:03:29

How to Create Self-Signed Certificates With PowerShell

How to Create 0:07:24

How to Create Self-Signed Certificate in Apache

HOW TO CREATE 0:02:46

HOW TO CREATE NEW SELF-SIGNED CERTIFICATE WITH POWERSHELL

Create a Self-Signed 0:12:25

Create a Self-Signed Certificate in IIS

Server 2016 Tutorial: 0:03:33

Server 2016 Tutorial: Create Self Signed Certificate and Bind in IIS

Комментарии
Автор

Thanks man, you managed to simply explain me in 5 min what 99% of the topics on the net can't in 3 months!

lubrifiax
Автор

WOW, You are brilliant, taught a difficult subject in a very easy manner. Really liked it... Thank you SIR!

waheed
Автор

Excellent Instructional video. Thank you for taking the time to explain in detail how this works.

redhatfan
Автор

I spend 4 hours trying to make this work.
Your video help me do it! Thank you very much!

jonathanmartins
Автор

Great tutorial - very comprehensive, also provides a good insight as to how OpenSSL features are organised around enterprise concerns.
Thanks!

liberatemi
Автор

My man! I didn't follow your instructions to the letter as I had already completed most of these steps but adding the "subjectAltName = @alt_names" pointer to the server extension is what I was missing. Thank you.

Neomeister
Автор

Simple and effective tutorial...Thanks!!!

rohitshetty
Автор

You should be importing the CA certificate into your trusted store. Then every certificate signed by that CA will be trusted by your computer. (Your file ca.pem)

boring
Автор

Works for me! Just one cuestion, if I want to put the server.crt and server.key in one file, for example server_bundle.pem. Is going to work?

cbnitez
Автор

I cannot visually read your webpage from the video. It is very blurry.

warronfrench
Автор

May I ask a question. In my development environment I have multiple http servers, openvpn servers, vcenter and esx servers etc, and I remove or change of add new ones regularly.

They are all in the same domain eg. *.domain.com.

I can;t see how adding all the names into the subjectalternatenames field would be practical as they change, would having only "domain.com" in the subjectalternatename be sufficient to cover all the hosts?

davidharrison
Автор

can anyone tell me, why the main URL or subject URL is needed to be mentioned in the DNS list?

shwetamanjrekar
Автор

Am getting an error like below while issuing User Certificate using openSSL
Like: Windows
I am unable to access to the C:\ssl\democa Invalid argument

Guiltypleasure_
Автор

Hi Sir
I have queries to seek your advice after following all the steps very closely on a Windows 10 environment:

Q1.) When I enter this command: sudo openssl x509 -req -in server.csr -CA ca.pem -CAkey privkey.pem -CAcreateserial -out server.crt -days 3650 -extfile server_v3.ext

I don’t have the generated ca.srl file

Please kindly advise on this if I missed out any step

gabrielbong
Автор

Hi, I need to generate a client certificate also, can you please advise how this can be incorporated ?

Junaidddevil
Автор

Hi you mentioned to install server.key and the certificate can you explain how to install the server.key? Thanks.

donnagamis