This (brief) how to will show you how to create a self signed ssl certificate which you can use with multiple virtual hosts. The goal is to use a “Wild card” when generating your certificate which then allows one to use a single certificate with multiple virtual hosts.
SSL is designed such that you can only have 1 SSL certificate per hostname per static ipaddress. This means, when using SSL with VirtualHosts, you will get “security warnings” that your SSL certificate does not match the hostname.
By using a wild card, however, you can use a shared SSL certificate with VirtualHosts such that a single SSL certificate will be valid for :
- your_site.com
- ftp.your_site.com
- mail.your_site.com
- blog.your_site.com
Note: As long as you self sign your ssl certificate you will always get the following error messages :
Error message
Adding an excpetion
The only way to resolve this “Unknown Identity” message to to purchase a CA (Certificate Authority) from a recognized CA (which is beyond this tutorial). Wild cards also work if you purchase a CA (Certificate Authority).
OK, enough background, how can this be done ?
It turns out it is quite easy :
- Generate a new server key (if needed) :
openssl genrsa -des3 -out your_site.com.key
- Enter your passphrase when asked.
- Generate a request for a certificate (using *. as a Wild Card):
openssl req -new -key your_site.com.key -out \*.your_site.com.csr
- Note the use of “*.” ? This is the Wild Card !!!
- The leading \ “escapes” the * and prevents the shell from expanding it.
- Now self sign the certificate (all one line):
openssl x509 -req -days 365 -signkey your_site.com.key -in \*.your_site.com.csr -out \*.your_site.com.crt
- Pay attention to the leading “\*.” as in “\*.your_site.com.csr”. The leading \ prevents the shell from expanding the “*” .
- Last copy your signed certificate to where it belongs and remove the leading “*.”
- The exact location of your certificate varies by Distribution, but for example -
sudo cp \*.your_site.com.crt /ect/apache2/ssl/your_site.com.crt
- Notice how when we copied the certificate to where is belongs, we removed the Wild Card.
- The exact location of your certificate varies by Distribution, but for example -
Last, restart Apache.
Ubuntu :
sudo /etc/init.d/apache2 restart
Centos:
service httpd restart
Configuring SSL is not difficult , but is beyond this how to and the default location of keys and certificates varies by distribution.
Additional References :
Setting up SSL: Ubuntu and Apache 2
Ubuntu Wiki SSL
(Centos) How to Create Self-Signed SSL Certificates with OpenSSL
You need to escape all instances of * here, since they’re all being used in shell commands. Great otherwise, this will be my new reference for the next time I need to generate SSL certificates :)
Thanks jgoguen, I updated my post.
I wrote up on something similar some time ago:
http://ressukka.net/blog/posts/20080305_openssl_subjaltname/
the only difference is that instead of using the wildcard as the main certificate name, i set up the wildcard as subjaltname which allows one to use the same certificate for both example.com and *.example.com
also subjaltname allows you to create a certificate that is valid for example.com, *.example.com, example.net and *.example.net at the same time.