Forked from GangGreenTemperTatum/Creating a CSR and SSL Certificate with SAN Extensions.md
Created
May 11, 2025 17:59
-
-
Save yuliu/01bb0f3f3dee3ae0da3c410da2e7c143 to your computer and use it in GitHub Desktop.
Revisions
-
GangGreenTemperTatum renamed this gist
Jun 6, 2023 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Jun 6, 2023 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,94 @@ # Creating a CSR and SSL Certificate with SAN Extensions ### **Problem**: As per here [Few days ago (after an update) FF simply refused to accept my self-signed certificate anymore](https://support.mozilla.org/en-US/questions/1379144), Firefox requires `SAN` (Subject Alternative Names) present: > It must be due to removed "subject common name" fallback support from certificate validation. This fallback mode was previously enabled only for manually installed certificates. The CA Browser Forum Baseline Requirements have required the presence of the "subjectAltName" extension since 2012, and use of the subject common name was deprecated in RFC 2818. > Firefox from 101.0 onward no longer use certificate CN (Common Name) for matching domain name to certificate and have migrated to only using SAN (Subject Alternate Name) so if you self sign for internal devices you’ll need to regenerate. ### **Solution**: As per here [Know about SAN Certificate and How to Create With OpenSSL](https://geekflare.com/san-ssl-certificate/), follow the below steps to create, generate and verify the CSR with SAN: - Create a `san.cnf` file on your local environment "`<---`" - fix defined [here](https://gist.github.com/KeithYeh/bb07cadd23645a6a62509b1ec8986bbc?permalink_comment_id=4591574#gistcomment-4591574) ``` [ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no # <--- This is required to fix OpenSSL output bug [ req_distinguished_name ] countryName = CA stateOrProvinceName = ON localityName = Toronto organizationName = Acme commonName = example.com [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = example.com DNS.2 = www.example.com ``` - Generate the CSR referencing the `san.cnf` config file: `openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout server-key.pem -config san.cnf` - Verify the SAN('s) present within the CSR: `openssl req -noout -text -in sslcert.csr | grep DNS` ### **Problem**: As per here [OpenSSLDocs -> Bugs](https://www.openssl.org/docs/man1.0.2/man1/x509.html) > Extensions in certificates are not transferred to certificate requests and vice versa. ### **Solution**: As per here [How to create a self-signed SSL Certificate with SubjectAltName(SAN)](https://gist.github.com/KeithYeh/bb07cadd23645a6a62509b1ec8986bbc) - Create config file for SAN, example: Quick note, if you leave `basicConstraints = CA:TRUE`, Firefox will think your cert is a CA and deny your request. Omitting that, will fix the issue you're getting the `MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY` issue. Worth noting that as far as I know, Firefox will deny all self signed certs, and you can't get around it with security exceptions. `touch v3.ext` ``` subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign subjectAltName = DNS:example.meme, DNS:www.example.meme issuerAltName = issuer:copy ``` - Generate the `x.509` certificate using the `-extfile v3.ext` flag to include SAN('s): ``` openssl x509 -req -days 365000 -set_serial 04 \ -in sslcert.csr \ -out server-cert.pem \ -CA ca-cert.pem \ -CAkey ca-key.pem \ -extfile v3.ext ``` It's unknown whether both the CSR and SSL certificate require generating with their respective `san.cnf` and `v3.ext` config files in tandem, but recommended for continuity at least: How to verify CSR for SAN? `openssl x509 -text -noout -in server-cert.pem | grep -A 1 "Subject Alternative Name"` **Other recommended reads**: - https://www.golinuxcloud.com/openssl-subject-alternative-name/