0

I am trying to generate a SSL certificate that after being signed by my own CA will work for multiple domains.

My openssl configuration file looks like this:

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
stateOrProvinceName   = State or Province Name (full name)
stateOrProvinceName_default = Berlin
localityName = Locality Name (eg, city)
localityName_default =
organizationName = Organization Name (eg, company)
organizationName_default =
commonName  = Common Name (eg, your domain)
commonName_default = example.com    
commonName_max = 64

[ req_ext ]

subjectAltName = @alt_names

[ alt_names ]
DNS.1 = example.com
DNS.2 = a.example.com
DNS.3 = b.example.com

The resulting CSR looks like this:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=DE, ST=Berlin, CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    ...
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:example.com, DNS:a.example.com, DNS:b.example.com
    Signature Algorithm: sha1WithRSAEncryption
        ...

However after installing this on apache, the browsers (both chrome and firefox) do not seems to see or respect the SAN. example.com works due to the common name, the two subdomains don't.

What am I doing wrong? How can I troubleshoot this?

(I have simplified the example here. Wildcard certs are not an option)

d_inevitable
  • 209
  • 1
  • 7
  • 19

2 Answers2

2

You've posted everything relevant except the details of the actual signed cert from your CA. I'm guessing your CA has stripped or ignored the SAN fields in your request for some reason. It should be easy enough to check with openssl.

openssl x509 -in my.crt -text

Assuming the SAN fields are indeed missing from the signed cert, you'll have to figure out why your CA is stripping or ignoring those fields. I'm not terribly familiar with running an openssl based CA, but I know earlier versions of the Windows CA needed a registry tweak to support SANs.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
1

I'm debugging a similar problem, with the addition of requiring client certificates as well. I'm using tomcat on Linux, so I can do the following to help debug:

  1. add "-Djavax.net.debug=all" to your execution environment in whatever way makes sense. I added this in my app's setenv.sh file.

    This will produce log entries that allow you to see details of the ssl handshake, such as whether the whole certificate chain is included in the serverHello message.

  2. use a variant of this openssl command to see how openssl handles the certificates

    $ openssl s_client -connect <address>:<port> -debug \
   -cert <client_cert_file> -key <client_key_file> -CAfile cacert.pem
Darin
  • 11
  • 2
  • 3
    ***It looks like Chrome does not handle SAN fields at this time.*** This is demonstrably false. Go to https://www.keurig.com in chrome. Does it validate for you? That domain is only in the SAN of the certificate. – Jumbogram Sep 11 '13 at 19:37
  • I cannot argue with that, given your excellent example certificate. – Darin Sep 13 '13 at 14:45