5

I need to setup https for multiple domians xxxx.com xxxx.net (with single common certificate)

CA where we buying certificate ask to create Certificate Signing Request (CSR), but when I'm generating it with openssl - it asks only for one name

how to make one CSR for multiple domains ?

Djangonaut
  • 5,511
  • 7
  • 40
  • 53
  • 1
    A little Googling [got me this](https://certificates.heanet.ie/node/17). – Linus Kleen Dec 15 '11 at 08:36
  • @LinusKleen: Will that result in a single certificate with multiple domains in it? Is that even possible? Or will you get multiple certificates (using the same private key)? – Thilo Dec 15 '11 at 08:43
  • It's possible, @Thilo. It's a single certificate with its subject containing multiple CNs. – Linus Kleen Dec 15 '11 at 08:44
  • Do all browsers like that? Any examples in the wild? – Thilo Dec 15 '11 at 08:54
  • @Thilo Yes, [my site](https://perfect-co.de/) has one, for example. Multi-Domain certificates aren't that new and supported by all major browsers. – Linus Kleen Dec 15 '11 at 09:24
  • Cool. Turn all that talk into an answer, please. – Thilo Dec 15 '11 at 09:45
  • @LinusKleen: your site also has them in the SANs, where they should be. (The CN or CNs are ignored when SANs are present.) – Bruno Dec 15 '11 at 13:03

1 Answers1

13

Avoid certificates with multiple CNs (as suggested in comments), that's not how the specifications (RFC 2818 and RFC 6125) say it should work and, although it may work in some clients applications, it will usually fail. From RFC 2818:

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

Instead, generate certificates (or CSR) with multiple Subject Alternative Names (SANs).

If you're using OpenSSL, edit your openssl.cnf (or edit a copy) and set these properties, in the relevant sections ([req] and [ v3_req ]):

[req]
req_extensions = v3_req

[v3_req]
subjectAltName=DNS:www.example1.com,DNS:www.example2.com,DNS:www.example3.com

There's also a nice trick to use an environment variable for this (rather in than fixing it in a configuration file) here: http://www.crsr.net/Notes/SSL.html

You may also want to have one of them (any) in the CN.

(You may also be interested in this answer.)

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • FTR if you use XCA, it's under *Extensions > X509v3 Subject Alternative Name* when creating a cert. Thanks! – Yajo Mar 20 '17 at 10:57