Shadows of epiphany

SSL Certificate with Virtual Hosts

March 15th, 2009 by bodhi.zazen

This (brief) how to will show you how to create a self signed ssl certificate which you can use with multiple virtual hosts. The goal is to use a “Wild card” when generating your certificate which then allows one to use a single certificate with multiple virtual hosts.

SSL is designed such that you can only have 1 SSL certificate per hostname per static ipaddress. This means, when using SSL with VirtualHosts, you will get “security warnings” that your SSL certificate does not match the hostname.

By using a wild card, however, you can use a shared SSL certificate with VirtualHosts such that a single SSL certificate will be valid for :

  • your_site.com
  • ftp.your_site.com
  • mail.your_site.com
  • blog.your_site.com

Note: As long as you self sign your ssl certificate you will always get the following error messages :

Error message

Error message

Adding an exception

Adding an excpetion

The only way to resolve this “Unknown Identity” message to to purchase a CA (Certificate Authority) from a recognized CA (which is beyond this tutorial). Wild cards also work if you purchase a CA (Certificate Authority).

OK, enough background, how can this be done ?

It turns out it is quite easy :

  1. Generate a new server key (if needed) :

    openssl genrsa -des3 -out your_site.com.key

    • Enter your passphrase when asked.
  2. Generate a request for a certificate (using *. as a Wild Card):

    openssl req -new -key your_site.com.key -out \*.your_site.com.csr

    • Note the use of “*.” ? This is the Wild Card !!!
    • The leading \ “escapes” the * and prevents the shell from expanding it.
  3. Now self sign the certificate (all one line):

    openssl x509 -req -days 365 -signkey your_site.com.key -in \*.your_site.com.csr -out \*.your_site.com.crt

    • Pay attention to the leading “\*.” as in “\*.your_site.com.csr”. The leading \ prevents the shell from expanding the “*” .
  4. Last copy your signed certificate to where it belongs and remove the leading “*.”
    • The exact location of your certificate varies by Distribution, but for example -

      sudo cp \*.your_site.com.crt /ect/apache2/ssl/your_site.com.crt

    • Notice how when we copied the certificate to where is belongs, we removed the Wild Card.

Last, restart Apache.

Ubuntu :

sudo /etc/init.d/apache2 restart

Centos:

service httpd restart

Configuring SSL is not difficult , but is beyond this how to and the default location of keys and certificates varies by distribution.

Additional References :

Setting up SSL: Ubuntu and Apache 2
Ubuntu Wiki SSL
(Centos) How to Create Self-Signed SSL Certificates with OpenSSL

StumbleUpon

Posted in Linux

3 Comments »

  1. You need to escape all instances of * here, since they’re all being used in shell commands. Great otherwise, this will be my new reference for the next time I need to generate SSL certificates :)

    Comment by jgoguen — March 16, 2009 @ 3:58 am

  2. Thanks jgoguen, I updated my post.

    Comment by bodhi.zazen — March 16, 2009 @ 9:58 am

  3. I wrote up on something similar some time ago:
    http://ressukka.net/blog/posts/20080305_openssl_subjaltname/

    the only difference is that instead of using the wildcard as the main certificate name, i set up the wildcard as subjaltname which allows one to use the same certificate for both example.com and *.example.com

    also subjaltname allows you to create a certificate that is valid for example.com, *.example.com, example.net and *.example.net at the same time.

    Comment by Sami Haahtinen — March 16, 2009 @ 1:06 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment

Previous entries

Shadows of epiphany

Where enlightenment is obscurated by the kaleidoscope

© 2010 Shadows of epiphany
Theme by bodhi.zazen inspired from Arcsin