Multiple SSL Sites Using SubjectAltName

Install OpenSSL 

Issue the following command to install required packages for OpenSSL, the open source SSL toolkit.

Debian/Ubuntu users:

apt-get update
apt-get upgrade
apt-get install openssl
mkdir /etc/ssl/localcerts

CentOS/Fedora users:

yum install openssl
mkdir /etc/ssl/localcerts

Generate the Certificate 

Edit the file /usr/lib/ssl/openssl.cnf, inserting the following line immediately before the "HOME" entry.

File excerpt: /usr/lib/ssl/openssl.cnf

SAN="email:support@yourdomain.com"

Change "yourdomain.com" to match the domain name used for your server's fully qualified domain name (FQDN). Next, add the following line immediately after the "[ v3_req ]" section marker.

File excerpt: /usr/lib/ssl/openssl.cnf

subjectAltName=${ENV::SAN}

These statements instruct OpenSSL to append your default support email address to the SAN field for new SSL certificates if no other alternate names are provided. The environment variable "SAN" will be read to obtain a list of alternate DNS names that should be considered valid for new certificates.

At the shell prompt, issue the following command to declare the names domain names that you want to include in your certificate: :

SAN="DNS:www.firstsite.org, DNS:firstsite.org, DNS:www.secondsite.org, DNS:secondsite.org"

Substitute your own domain names for "firstsite.org" and "secondsite.org", adding additional domains delimited by commas. For convenience sake, we're including the base domains for each site here (this prevents errors that would otherwise occur if the user doesn't type the "www" part).

Issue the following command to generate the certificate itself. Note that this command should be issued on a single line, without the backslash (e.g. \):

openssl req -new -x509 -days 365 -nodes -out /etc/ssl/localcerts/apache.pem\
 -keyout /etc/ssl/localcerts/apache.key

OpenSSL will ask you for several configuration values. Enter values appropriate for your organization and server, as shown here. This example will create a certificate valid for 365 days; you may wish to increase this value. We've specified the FQDN (fully qualified domain name) of the VPS for the "Common Name" entry, as this certificate will be used for generic SSL service.

Generating a 1024 bit RSA private key
...................................++++++
..............................++++++
writing new private key to '/etc/apache2/ssl/apache.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New Jersey
Locality Name (eg, city) []:Absecon
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SoftwareDev, LLC
Organizational Unit Name (eg, section) []:Web Services
Common Name (eg, YOUR name) []:archimedes.mydomain.com
Email Address []:support@mydomain.com

You'll need to configure the applicable server software on your Linode to use the newly generated certificate. After accepting an initial warning regarding the certificate for the first domain you access over SSL, you should be able to access the domains you specified over SSL without further warnings.

More Information 

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

• OpenSSL Documentation

License 

This guide is licensed under a Creative Commons Attribution-No Derivative Works 3.0 United States License. Please feel free to redistribute unmodified copies of it as long as attribution is provided, preferably via a link to this page.