Actually I wanted to cover this topic in the previous post, but somehow have missed it.
Using the mentioned one liner can lead to typos and/or some strange behaviour on the CA side, especially when using a Windows-CA.
To circumvent this issues, I mentioned „a specially designed *.conf file“ which I’d like to elaborate today.
Following steps are necessary:
Create a file „req.conf“ in etc/ssl/ (Ubuntu 14.04, pathes may vary) with the following content:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = $YourTLD
ST = $YourState
L = $YourCity
O = $YourCompany
OU = $YourDepatment
CN = $YourCName (e.g. internal.company.tld)
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.internal.company.tld
DNS.2 = internal.company.tld
DNS.3 = www.*.internal.company.tld
Essentially, these are the information provided by the „-subj section“ in last weeks one liner.
Now you can generate a key:
openssl genrsa -out internal.company.tld.key 4096
and use your new key and the req.conf file to generate a CSR, which, as usually can be fed into your local CA.
openssl req -new -out internal.company.tld.csr -key internal.company.de.key -config req.conf -sha256
This *.conf file can be used as a template for other C/altNames as well and is, in my eyes, more lucid than a one liner.