In general, SSL certificates are used to validate a single domain. However, some practical requirements force you to think about securing multiple domains with a single certificate. If you are a beginner, you are searching for the solution to this problem. Then you are at the right place. The short answer to this is, yes, you can secure multiple domains with a single certificate. To acquire an SSL certificate that secures multiple domains, you should generate a CSR (Certificate Signing Request) for your multi-domain certificate to submit to the CA to sign. After you read this post, you will be in a position to answer how to generate a CSR for a multi-domain SSL certificate using OpenSSL.
Before you go ahead, we encourage you to learn about the different types of certificates if you have time.
What Is A Multi-Domain/SAN Certificate?
Multi-domain certificates are certificates that can be used to validate more than one domain name. They are also known by two other names. 1. UCC, which stands for “unified communication certificate,” and 2. SAN (which stands for “subject alternative name”) certificates.
Well, suppose you ever created a Certificate Signing Request for a single domain certificate. In that case, you might be aware of the ‘common name’ field, which contains a Fully Qualified Domain Name (FQDN) for which the certificate is created. Well, if you think you will have multiple common names in a single SSL certificate, you are wrong. You will have only one common name, which is the primary domain of the certificate. In addition to that, you will have multiple Subject Alternative Names (SAN) or Alt Name or DNS Name in the certificate. Each SAN will serve as a common name. That’s why it is also called SAN certificate.
Let’s see an example of a multi-domain or SAN certificate:
If you create a certificate with this information, the certificate will secure all four domains. The same certificate can be used for any of the four domains.
CN (Common Name) = example.com
DNS 1 = www.example.com
DNS 2 = mydomain.com
DNS 3 = exampledomain.com
What Is The Maximum Number Of SAN Are Allowed In A SSL Certificate?
Different Certificate Authorities have specified different maximum limits. Windows Certificate Authority has set the limit up to 4 Kb. However, RFC5280 Section 4.2.1. doesn’t specify the maximum limit. the range is defined as 1…MAX. The value of MAX is not specified.
How To Generate A CSR for Multi-Domain SSL Certificates?
Let’s see how to generate a CSR for the certificate, which can be used to secure multiple domains. Let learn how to add multiple SAN or DNS, or Alt Names to the CSR using OpenSSL.
Time needed: 15 minutes.
How to add multiple SAN or DNS, or Alt Names to the CSR using OpenSSL?
- Create a copy of OpenSSL config fileCreate a copy of the existing config file. The existing OpenSSL config file will be at /etc/ssl/openssl.cnf or /usr/lib/ssl/openssl.cnf.
Use the cp command to take a copy of the config file:
# cp /etc/ssl/openssl.cnf /home/arunkl/multi-domain-site/
- Edit the config file and enable [ v3_req ]Use your choice of editors to edit the config file. We use nano in this demonstration.
# nano /home/arunkl/multi-domain-site/openssl.cnf
Look for the [ req ] section. Uncomment the following line: If you don’t see the line, add it under the [ req ]. This will direct OpenSSL to read the
[ v3_req ]section.
req_extensions = v3_req
- Enable SubjectAltName under [ v3_req ] sectionScroll down until you see [ v3_req ] and add the following line: This will direct the config file to read alt names.
subjectAltName = @alt_names
- Add Alt Name or SAN names in the config fileCreate a new section [ alt_names ] at the bottom of the config file. Add SAN or DNS or Alt names like this.
[ alt_names ]
DNS.1 = www.exampledomain.com
DNS.2 = exampledomain.com
DNS.3 = thesecmaster.local
DNS.4 = mydomain.local
Note: Do not add the domain name used in the common name field again.
Now you are done with the creation of the config file. Hit Ctrl + o to save the config file and Ctrl + x to exit.
- Generate the private keyRun this command to create a private key for your certificate. Do not use a passphrase as Nginx will have to use this private key.
# openssl genrsa -out example.com.key 2048
- Generate the CSR for multi-domain or SAN certificateCreate the CSR importing the private key and the config file created in the previous sections.
# openssl req -new -key example.com.key -out example.com.csr -config example.com.cnf
- Test the CSRTest the CSR with the following command:
# openssl req -in example.com.csr -noout -text
The CSR is ready to submit to the Certificate Authority.
This is how you can generate a CSR for a multi-domain SSL certificate.