openssl ca, key, csr, crt and san

in original note about self signed certs I did created certs for given common name (CN)

but now for yet another project gonna need certs with subject alternative names (SAN)

here is sample script that did the trick:

rm -rf *.pem *.csr *.srl || true

# Step 1: CA
# ----------

# create CA, it is secret, keep it safe
openssl genrsa -out ca.private.pem 2048

# create public CA, give it to everyone so they can add it to trusted root
openssl req -x509 -new -key ca.private.pem -out ca.public.pem -days 10000 -subj "/C=UA/L=Kiev"

# Step 2: Certificate
# -------------------

# create certificate, it is secret, keep it safe
openssl genrsa -out cert.private.pem 2048

# create "certificate signing request" (csr)
# add as many "/CN=foo.mac-blog.org.ua/CN=bar.mac-blog.org.ua" as needed
openssl req -new -key cert.private.pem -out cert.csr -subj "/CN=demo.mac-blog.org.ua/CN=www.demo.mac-blog.org.ua"

# config
# add same list of DNS here
cat <<EOT >> cert.conf
[SAN]
subjectAltName = @alt_names
[alt_names]
DNS.1 = demo.mac-blog.org.ua
DNS.2 = www.demo.mac-blog.org.ua
EOT

# sign it with our CA
openssl x509 -req -in cert.csr -CA ca.public.pem -CAkey ca.private.pem -CAcreateserial -out cert.public.pem -days 10000 -extensions SAN -extfile cert.conf

# clean
rm -rf *.csr *.srl cert.conf || true

# check
openssl x509 -in cert.public.pem -text -noout | grep DNS

after creation you may give it a try with following default.conf

server {
    listen              80;
    listen              443 ssl;
    server_name         demo.mac-blog.org.ua www.demo.mac-blog.org.ua;
    ssl_certificate     cert.public.pem;
    ssl_certificate_key cert.private.pem;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}

and run it

docker run -it --rm -p 80:80 -p 443:443 -v $PWD/cert.public.pem:/etc/nginx/cert.public.pem -v $PWD/cert.private.pem:/etc/nginx/cert.private.pem -v $PWD/default.conf:/etc/nginx/conf.d/default.conf nginx:alpine

checks

curl -v --cacert ca.public.pem --resolve demo.mac-blog.org.ua:443:127.0.0.1 https://demo.mac-blog.org.ua

curl -v --cacert ca.public.pem --resolve www.demo.mac-blog.org.ua:443:127.0.0.1 https://www.demo.mac-blog.org.ua

openssl s_client -connect localhost:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep DNS:

with this we have both CN and SAN