{"id":844,"date":"2015-03-03T23:33:32","date_gmt":"2015-03-04T04:33:32","guid":{"rendered":"http:\/\/xfloyd.net\/blog\/?p=844"},"modified":"2015-03-06T22:50:29","modified_gmt":"2015-03-07T03:50:29","slug":"multi-domain-ssl-setup-with-subject-alternative-names","status":"publish","type":"post","link":"https:\/\/xfloyd.net\/blog\/?p=844","title":{"rendered":"Multi-Domain SSL Setup with \u201cSubject Alternative Names\u201d"},"content":{"rendered":"

SSL Setup for multiple domains\/subdomains is different than single-domain or wildcard domain setup. There are 2-ways to setup this (as far as I know) \u2013 using\u00a0Subject Alternative Names<\/a> and\u00a0Server Name Indication (SNI)<\/a><\/p>\n

In this article, we will use \u201cSubject Alternative Names\u201d method.<\/p>\n

Use Cases<\/h2>\n

This tutorial is intended for following types of use case. If you are trying to setup something else, please ignore this.<\/p>\n

non-www and www version of your site<\/h3>\n
    \n
  1. example.com<\/li>\n
  2. www.example.com<\/li>\n<\/ol>\n

    <\/p>\n

    wildcard (all subdomains) and apex\/root\/naked domain<\/h3>\n
      \n
    1. example.com<\/li>\n
    2. *.example.com<\/li>\n<\/ol>\n

      Please note that most wildcard SSL do not protect your root domain i.e. example.com<\/p>\n

      altogether different domains<\/h3>\n
        \n
      1. example.com<\/li>\n
      2. example.net<\/li>\n
      3. google.com<\/li>\n
      4. rtcamp.com<\/li>\n
      5. www.example.com<\/li>\n<\/ol>\n

        Process<\/h2>\n

        Different companies offers different type of SSL certificates. They have different type of interfaces for CSR signing and certificate generation. So we will outline process on your server-side only (which should remain common across all Ubuntu server)<\/p>\n

        OpenSSL Config File<\/h3>\n

        Copy OpenSSL conf<\/h4>\n

        By default, when you are are running OpenSSL commands, it is picking config from \/etc\/ssl\/openssl.cnf<\/code>\u00a0file.<\/p>\n

        Unless you are configuring only one certificate on your server, it\u2019s better to copy OpenSSL config file to website\u2019s cert folder:<\/p>\n

        cp \/etc\/ssl\/openssl.cnf \/var\/www\/example.com\/cert\/example.com.cnf<\/code><\/pre>\n
        Editing Config File<\/h4>\n
        Open\u00a0\/var\/www\/example.com\/cert\/example.com.cnf<\/code><\/p>\n
        Look for \u00a0[ req ]<\/code> section. Find add uncomment following line:<\/p>\n
        req_extensions = v3_req<\/code><\/pre>\n
        If you don\u2019t find a line like above, you can add one.<\/p>\n
        This will make sure our next section [ v3_req ]<\/code>\u00a0is read\/used.<\/p>\n
        In [ v3_req ]<\/code>\u00a0section, add following line:<\/p>\n
        subjectAltName = @alt_names<\/code><\/pre>\n
        It will look like:<\/p>\n
        [ v3_req ]\r\n\r\n# Extensions to add to a certificate request\r\n\r\nbasicConstraints = CA:FALSE\r\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment\r\nsubjectAltName = @alt_names<\/code><\/pre>\n
        Finally add a new section called [\u00a0alt_names ]<\/code>\u00a0towards end of file listing all domain variation you are planning to use.<\/p>\n
        [ alt_names ]\r\nDNS.1 = www.example.com\r\nDNS.2 = example.com<\/code><\/pre>\n
        Note:<\/strong> I couldn\u2019t \u00a0find out whether we need to add domain used in common-name field again here. So I added it again here. Now in common-field, we use\u00a0www.example.com<\/em> version \u2013 if SSL is for www and non-www versions of domains.<\/p>\n
        Now you have your OpenSSL config file ready.<\/p>\n
        OpenSSL Private Key & CSR<\/h3>\n
        Make sure you are currently working in cert folder for your site:<\/p>\n
        cd \/var\/www\/example.com\/cert\/<\/code><\/pre>\n
        Private Key<\/h4>\n
        Run following command to generate private key. Do not use passphrase as nginx will use this private key.<\/p>\n
        openssl genrsa -out example.com.key 2048<\/code><\/pre>\n
        Certificate Signing Request \u2013 CSR generation<\/h4>\n
        Next, we will generate CSR using private key above AND <\/strong>site-specific copy of OpenSSL config file.<\/p>\n
        openssl req -new -key example.com.key -out example.com.csr -config example.com.cnf<\/code><\/pre>\n
        Please note -config<\/code>\u00a0switch. If you forget it, your CSR won\u2019t include (Subject)\u00a0Alternative (domain) Names.<\/p>\n
        Verify CSR<\/h4>\n
        Since sending CSR and getting certificate is time consuming process, it\u2019s better to verify if CSR is generated correctly.<\/p>\n
        Run following command:<\/p>\n
        openssl req -in example.com.csr -noout -text<\/code><\/pre>\n
        You will see something like below in output. Please make sure you read highlighted area.<\/p>\n
        Certificate Request:\r\n    Data:\r\n        Version: 0 (0x0)\r\n        Subject: C=IN, ST=MH, L=PUNE, O=RTCAMP SOLUTIONS PRIVATE LIMITED., CN=www.example.com<\/strong>\/emailAddress=admin@example.com\r\n\t[...]\r\n            X509v3 Basic Constraints: \r\n                CA:FALSE\r\n            X509v3 Key Usage: \r\n                Digital Signature, Non Repudiation, Key Encipherment\r\n            X509v3 Subject Alternative Name: \r\n                DNS:www.example.com, DNS:example.com<\/strong>\r\n\t[...]<\/code><\/pre>\n
        Submitting CSR and Requesting certificate<\/h3>\n
        Once you have CSR, the process of submitting it is online and often coupled with extra steps depending of certificate provider.<\/p>\n
        You can refer to GoDaddy workflow<\/a> and Thawte Workflow<\/a> here.<\/p>\n
        Also, when you get certificate from provider, you can verify if its correct by using this article<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
        SSL Setup for multiple domains\/subdomains is different than single-domain or wildcard domain setup. There are 2-ways to setup this (as far as I know) \u2013 using\u00a0Subject Alternative Names and\u00a0Server Name Indication (SNI) In this article, we will use \u201cSubject Alternative Names\u201d method. Use Cases This tutorial is intended for following types of use case. If […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts\/844"}],"collection":[{"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=844"}],"version-history":[{"count":2,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts\/844\/revisions"}],"predecessor-version":[{"id":846,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts\/844\/revisions\/846"}],"wp:attachment":[{"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=844"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=844"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=844"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}