June 2020
M T W T F S S
« Mar    
1234567
891011121314
15161718192021
22232425262728
2930  

Categories

WordPress Quotes

Be Content with what you have; rejoice in the way things are. When you realize there is nothing lacking, the whole world belongs to you.
Lao Tzu
June 2020
M T W T F S S
« Mar    
1234567
891011121314
15161718192021
22232425262728
2930  

Short Cuts

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (40)
Ansibile (19)
Apache (135)
Asterisk (2)
cassandra (2)
Centos (211)
Centos RHEL 7 (270)
centos8 (3)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (30)
Eassy (11)
ELKS (1)
EXCHANGE (3)
Fedora (6)
ftp (5)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
health (2)
horoscope (23)
Hyper-V (10)
IIS (15)
IPTABLES (15)
JAVA (7)
JBOSS (32)
jenkins (1)
Kubernetes (7)
Ldap (5)
Linux (188)
Linux Commands (166)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (24)
MYSQL (84)
Nagios (5)
NaturalOil (13)
Nginx (35)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (35)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
SFTP (1)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
swap (3)
TIPS on Linux (28)
tomcat (62)
Ubuntu (1)
Uncategorized (30)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.

Who's Online

0 visitors online now
0 guests, 0 bots, 0 members

Hit Counter provided by dental implants orange county

wild card ssl certifcate

Generating and Installing Wildcard and Multi-Domain SSL Certificates

Generate a CSR (Cert Signing Request) For a Wildcard Domain

Normally, to generate a certificate for a wildcard domain such as *.example.com, all you have to do (when generating the CSR) is specify in the “Common Name” field:
*.example.com

The problem is that that:

This will only wildcard 1 sub-domain level (i.e., it will not work for www.subdomain.example.com, https://www.subdomain.example.com).
And it will not cover the root domain (i.e., “example.com”, https://example.com).
To cover additional domains and wildcards, you have to use openssl’s SAN (subjectAltName) extension…

1. Edit file openssl.cnf (open via Notepad) –
File C:\WampDeveloper\Config\Apache\openssl.cnf

2. Uncomment (remove starting ‘#’) line:
# req_extensions = v3_req # The extensions to add to a certificate request

req_extensions = v3_req # The extensions to add to a certificate request
3. Update the “[ v3_req ]” section with line:
subjectAltName = @alt_names

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
4. Create file named “alt-names.txt” and place the entire list of all domains and wildcards into it (including the previously entered “Common Name”):

[ alt_names ]
DNS.1 = www.example.com
DNS.2 = example.com
DNS.3 = *.example.com
DNS.4 = *.*.example.com
Note that entry “*.*.example.com” wildcards on multiple level sub-domains. This entry might, or might not work, depending on how different Browsers decide to handle this and if the CA (Certificate Authority) allows this.

5. Follow the exact instruction on generating a CSR, except make sure to add the “alt-names.txt” file into the CSR generation command…

openssl genrsa -out example_com.key 2048
openssl req -new -sha256 -key example_com.key -out example_com.csr -config C:\WampDeveloper\Config\Apache\openssl.cnf
The first line generates your private key. The next line generates the CSR, using the additional entries from the alt-names.txt file. At this point you can either input the contents of CSR file into the CA’s certificate purchasing process, or self-sign the cert…

Self-Signing a CSR (Certificate Signing Request) For a Wildcard Domain

If you are going to self-sign this certificate, you will need to tell the CA configuration to allow and use the SAN extension, by uncommenting in file openssl.cnf, line:
# copy_extensions = copy

[ CA_default ]
# Extension copying option: use with caution.
copy_extensions = copy
Then create the self-signed wildcard certificate the exact same way as in all other cases:

openssl x509 -req -sha256 -days 365 -in example_com.csr -signkey example_com.key -out example_com.crt -extfile C:\WampDeveloper\Config\Apache\alt-names.txt
Installing Wildcard and Multi-Domain Certificates

There is no difference between how Apache (nor any other web-server such as IIS, Nginx, Tomcat) treats normal and wildcard certs.

You would install the certificates the regular way, with a separate update to each website’s SSL VirtualHost file, on the location/path to the: cert, bundle file (if exists), and private key (all of which can point to the same locations for each website, or can be duplicated into each websites’ certs\ folder)…

For example see Installing Comodo PositiveSSL Certificate Bundled with Root and Intermediate CA Certificates on Apache.

Note that if you self-signed the certificate:

There will be no bundle file (don’t use “SSLCertificateChainFile” directive).
And if you want your local OS and Browser to actually accept and pass this certificate (without blocking website access as “untrusted”), you are going to have to install it into Windows Trusted Root Certification Authorities store. *Some Browsers do not use this store and have their own “trust exception” process.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

Blue Captcha Image
Refresh

*

Protected by WP Anti Spam