Use OpenSSL to create a certificate containing SAN
What is SAN?
SAN (Subject Alternative name) is an extension defined in the SSL standard X509. Use the SAN field’s SSL certificate to expand the domain name supported by this certificate, so that so A certificate can support analysis of multiple different domain names.
- Create a “CERT” directory to save certificates and configuration files.
- Create the configuration file “Openssl.cnf” and save it in the “Cert” directory. The content is as follows:
[CA_default]
copy_extensions = copy
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
# nation
C = cn
# province
St = jl
# City
L = cc
# organize
O = hacker's home
# department
Ou = hacker's home
# Domain name
CN = LOCALHOST
[v3_req]
BasicConstraints = CA: FALSE
Keyusage = NONREPUDION, DIGITALSIGNATURE, KeyenCipherment
subjectaltname = @alt_names
[Alt_names]
# Analysis domain name
Dns.1 = localhost
- Generate root certificate Use the command line tool to enter the “Cert” directory and execute the following command:
openssl genrsa -out ca.key 2048
Generate a private key
openssl req -new -key ca.key -out ca.csr
Use a private key to sign a certificate
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
Use the private key and certificate to generate the public key
- In the “CERT” directory, create the “Server” and “Client” directory, respectively, which are used to save server keys and client dense keys, respectively.
- Generate server key Use the command line tool to enter the “CERT/Server” directory and execute the following commands:
openssl genrsa -out server.key 2048
Generate server private key
openssl req -noout -text -in server.csr
Use a private key to sign a certificate
openssl x509 -req -in server.csr -out server.pem -CA ca.crt -CAkey ca.key -CAcreateserial -extfile openssl.cnf -extensions 'v3_req'
Verifying CS CSR extension attributes:
openssl x509 -req -in server.csr -out server.pem -CA ca.crt -CAkey ca.key -CAcreateserial -extfile openssl.cnf -extensions 'v3_req'
Generate SAN certificate
openssl x509 -noout -text -in server.pem
Verify generated certificate
- Generate client keys Use the command line tool to enter the “CERT/Client” directory and execute the following command:
openssl genrsa -out client.key 2048
Generate server private key
openssl req -new -nodes -key client.key -out client.csr -config openssl.cnf -extensions 'v3_req'
Use a private key to sign a certificate
openssl x509 -req -in client.csr -out client.pem -CA ca.crt -CAkey ca.key -CAcreateserial -extfile openssl.cnf -extensions 'v3_req'
Generate SAN certificate
OpenSSL key usage:
Digital signature: DIGITALSIGNATUR
Applying Signature: Nonrepudiation
Key encryption: Keyencipherment
Data encryption: DataEncipherment
Key negotiation: keyagreement
Certificate signature: Keycertsign
CRL signature: CRLSIGN
Just encrypted: Encipheronly
Just decrypted: decipheronly