Support Multiple Common Names in Certificate

Question

I am trying to generate a self signed certificate for secured grpc communication. Below is what I have tried and connection between services work flawlessly in localhost.

However, the moment I deploy one of the services to production(Google Cloud Run) connection stops working. How can I make the certificate to support connection whether in localhost or in production.

Below is the certificate generation script I have tried.

generator.sh

# Clean Up
rm *.crt

echo "Generating certificates ..."

openssl genrsa -passout pass:1111 -des3 -out ca.key 4096

openssl req -passin pass:1111 -new -x509 -days 365 -key ca.key -out ca.crt -subj  "/C=CL/ST=RM/L=Santiago/O=Test/OU=Test/CN=ca"

openssl genrsa -passout pass:1111 -des3 -out server.key 4096

openssl req -passin pass:1111 -new -key server.key -out server.csr -subj  "/C=CL/ST=RM/L=Santiago/O=Test/OU=Server/CN=localhost"

openssl x509 -req -passin pass:1111 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

openssl rsa -passin pass:1111 -in server.key -out server.key

openssl genrsa -passout pass:1111 -des3 -out client.key 4096

openssl req -passin pass:1111 -new -key client.key -out client.csr -subj  "/C=CL/ST=RM/L=Santiago/O=Test/OU=Client/CN=localhost"

openssl x509 -passin pass:1111 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

openssl rsa -passin pass:1111 -in client.key -out client.key

How can I make connection between services work all the time whether in localhost or in production which in my own case is Google Cloud Run (*.run.app)?

Thank you.

Where are you installing the SSL certificate? You mention Cloud Run. Cloud Run services are HTTP only. The GFE handles SSL certificates and custom domain mapping for Cloud Run services. Edit your question to provide more details. — John Hanley, Nov 11 '22 at 00:52

score 3 · Answer 1 · answered Nov 10 '22 at 21:59

Your title says "multiple Common Names in certificate" but your body effectively says (twice) "work both for localhost and other host(s)". Those are entirely different. The X.509 certificate structure is quite flexible and it is technically possible to create one with multiple CommonName attributes in Subject, but if used for SSL/TLS (including HTTPS) only one of them will actually be considered when determining certificate validity; see rfc2818 and rfc6125.

There are two ways to have a certificate usable for multiple server names, which can actually be multiple names for one server (common in virtual hosting) or different servers (your case):

use a wildcard name. If you make all your machines have names which vary only in the first DNS label, such as the pattern you posted *.run.app, you can use one CommonName containing that wildcard. If your 'localhost' is actually your own computer or VM, you can use /etc/hosts or a local DNS like dnsmasq or unbound to assign it a name matching this pattern such as myownmachine.run.app and that will work with this certificate.
use the Subject Alternative Name/SAN extension which can contain multiple values each of which is either a DNS name or wildcard or an IP address (you probably don't want the latter, but it's available). All certs from real (public) CAs have used SAN since about 2010. For SAN in OpenSSL, see to start

Add SAN with private CA
Requested Extensions in CSR not being reflected in CRT
Self signed SSL certificate: Subject Alternative Name (SAN) gets lost when signing
https://security.stackexchange.com/questions/204036/specify-subject-alt-names-in-openssl
https://security.stackexchange.com/questions/190905/subject-alternative-name-in-certificate-signing-request-
https://security.stackexchange.com/questions/150078/missing-x509-extensions-with-an-openssl-generated-certificate
https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line

Support Multiple Common Names in Certificate

1 Answers1