Code, Docs & Tools
Apache: how to create a multi-domain SSL certificate
Introduction
By defult, an SSL certificate is valid for only a single domain name.
Using wildcards, you can match all the subdomains with a single certificate. However, a wildcard certificate is valid only for the subdomains, and not for the main domain: so, a certificate for *.example.com is valid for www.example.com, foo.example.com and bar.example.com, but not for example.com.
If you need to match both the main domain and subdomains, or even different domains (i.e. example.com and example.net), you need a multi-domain SSL certificate.
Note:
• See how to create a single-domain self-signed SSL certificate
How to create the multi-domain SSL certificate
To create the multi-domain SSL certificate you need the openssl libraries and application on your PC.
Basically, the commands to create a multi-domain SSL certificate are almost the same to create a single-domain certificate.
In this case it's required to generate a Certificate Signing Request (CSR) using a customized version of the OpenSSL configuration file, including in it the list of domain names (SubjectAltName) and, optionally, IP addresses.
Customize the openssl.conf file
Make a copy of the openssl.conf file (usually located in /etc/ssl/openssl.cnf) into the working directory. You can name this file openssl_copy.cnf, for example.
Then open the new file with a text editor and search for the [req] section, and uncomment the req_extensions line removing the hash (#) on the first column:
[ req ]
req_extensions = v3_req # The extensions to add to a certificate request
The search for the [v3_req] section and add the subjectAltName parameter:
[ v3_req ]
subjectAltName = @alt_names
Fianlly, add at the end of the file a new section [alt_names] that contains all the domain names and/or IP addresses you want to include in the SSL certificate:
[ alt_names ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = *.third.example.com
DNS.4 = example.net
DNS.5 = *.example.net
IP.1 = 1.2.3.4
IP.2 = 5.6.7.8
In this example, the SSL certificate will be valid for example.com, www.example.com, all the subdomains of third.example.com (but not for third.example.com itself), and example.net including all its subdomains (only the thrid-levels).
The certificate will be valid also for IP addresses 1.2.3.4 and 5.6.7.8: it could be useful if the server is accessible directly via the IP address, instead of using a domain name.
Create the Certificate Signing Request (CSR)
Now you can create the key and the CSR file:
$ openssl req -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr -config openssl_copy.cnf
Generating a 2048 bit RSA private key
....................................................................+++
.................................................................................................................+++
writing new private key to 'example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:England
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WizLab
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:john@example.com
This will create a 2048-bits key: if you need longer keys, change rsa:2048 with the value you prefer.
You can verify the CSR file content to be sure the multiple domain names have been included:
$ openssl req -text -noout -in example.com.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=GB, ST=England, L=London, O=WizLab, OU=IT, CN=www.example.com/emailAddress=john@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:.......[content removed]...........:8c
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:example.com, DNS:www.example.com, DNS:example.net, DNS:*.example.net, IP Address:1.2.3.4, IP Address:5.6.7.8
Signature Algorithm: sha256WithRSAEncryption
9c:.........[content removed]..............:0a
Fianally, you can create the self-signed multi-domain SSL certificate:
$ openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt -extensions v3_req -extfile openssl_copy.cnf
Signature ok
subject=/C=GB/ST=England/L=London/O=WizLab/OU=IT/CN=www.example.com/emailAddress=john@example.com
Getting Private key
Apache configuration
The last step is the virtual host configuration on Apache:
<VirtualHost 1.2.3.4:443>
ServerName www.example.com
DocumentRoot /www
ErrorLog logs/www.example.com-error.log
CustomLog logs/www.example.com-access.log combined
SSLEngine on
SSLCertificateFile certs/example.com.crt
SSLCertificateKeyFile certs/example.com.key
</VirtualHost>
You can then restart Apache to make the changes effective.