I used this procedure on a Windows box that was running Apache 2.2, and had the certificate files stored in the Apache conf folder.
When working with SAN's (aka Subject Alternate Names), OpenSSL is your friend. This should be installed under your Apache folder under the following location:
C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\openssl.exe
Not that when using openssl on Windows, you may need to set the following environment variable, so windows can locate your openssl config file. Use the path that is appropriate for your setup. This was where the config file was in my case:
set "OPENSSL_CONF=C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\openssl.cnf"
When ready to create the CSR, open a command prompt and perform the following steps:
Go to the directory where openssl is located
Create a file named sancert.cnf and copy in the following text
Edit the fields as per your requirements and save the file.
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = London
localityName = City of London
organizationName = MyCompany
commonName = myserver.co.uk
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = friendlyname1.com
DNS.2 = friendlyname2.co.uk
DNS.3 = friendlyname3.net
Now run the following OpenSSL command. This will generate the CSR and KEY file
openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config sancert.cnf
This will create sslcert.csr and private.key in the current directory. Note that the -nodes switch actually means "No DES".
You can verify the SAN's are present in your CSR with the following command
openssl req -noout -text -in sslcert.csr | find "DNS"
Now request your certificate via your usual CA provider with the newly created CSR, re-import your certificate, and you’re done!
Comments