Menu
How to generate CSR for mult-domain.
I found that generating CSR for single domain is as below:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr But how do I generate CSR multi-domain
764
Yes, technically you can use the same Certificate Signing Request to create multiple certificates for multiple companies, clearly the certificate request must be uploaded from the right developer account.
It is recommended that you generate a CSR each time you renew your old certificates. Though some web servers may allow you to use the old CSR, generating a new one takes care of incorporating new encryption methods and hashing algorithms into the new certificates.
Create a CSR for a SAN certificateOpen the command prompt as an administrator and change the directory to C:\OpenSSL-WinXX\bin. Generate the CSR and KEY file with this command. Enter the details to complete the CSR. Common Name must be the FQDN of the inSync master server.
For an X.509 certificate to support multiple domains, it must use multiple Subject Alternative Name DNS entries, according to RFC 2818 (HTTP over TLS) (or RFC 6125):
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.
Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.)
As described in this document (except I would use -des3 too for the genrsa command, to protect the private key):
openssl.cnf file (the original is probably somewhere under /etc on Linux).req_extensions = v3_req in the [ req ] section.subjectAltName=DNS:www.example.com,DNS:www.other-example.com (one DNS: entry per host name you require) in the [ v3_req ] section.OPENSSL_CONF=/path/to/your/openssl.cnf openssl req ... This being said, I wouldn't worry too much about setting any extension in the CSR. Any good CA should ignore whatever you've set in the CSR and only set whatever they have actually verified when issuing the actual certificate. They'll happily replace any RDN in your Subject DN (e.g. Country, Organization, ...) as well as any extension (SAN or Key Usage). Firstly, if they let any extension as requested in the CSR by the applicant, this would be a security risk, since some applicants could really get anything. Secondly, that's how they make extra money, by charging you for setting a few bits here and there (e.g. code signing extension): they'll make sure that you only get what you've paid for in your certificate. I understand, though, that you may want to put all the names you request in your CSR, just to be sure.
156
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
