I am trying to generate a self-signed SSL certificate to secure both example.com
and *.example.com
. Looking at the answers to this and this questions, there seems to be an equal number of people agreeing and disagreeing whether this could be done. However, the website from a certification authority seems to suggest that it could be done.
Currently, these are the changes added to my openssl configuration file:
[req]
req_extensions = v3_req
[req_distinguished_name]
commonName = example.com
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = *.example.com
I tried the above configuration and generated a certificate. When navigating to https://example.com
, it produces the usual warning that the cert is "self-signed". After acceptance, I navigate to https://abc.example.com
and an additional warning is produced, saying that the certificate is only valid for example.com
.
The certificate details only listed example.com
in the certificate hierarchy with no signs of any wildcard subdomain being present.
I am not sure whether this is due to a misconfiguration or that the common name should have a wildcard or that this could not be done.
Further Update:
This is what I get by viewing the certificate request with openssl:
# openssl req -text -noout -in eg.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=xx, L=Location, O=Example Pte Ltd, CN=example.com/emailAddress=admin@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c1:c7:0d:7e:b7:48:d3:b8:9a:5a:88:db:c2:91:
...
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:example.com, DNS:*.example.com
Signature Algorithm: sha1WithRSAEncryption
4d:4a:8a:d9:32:e2:31:c5:6c:8c:6a:2a:a6:c3:17:63:dd:a4:
...
And this is what I get by viewing the cert:
# openssl x509 -in eg.crt -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
d0:9e:b3:d5:83:b5:a1:0d
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=xx, L=Location, O=Example Pte Ltd, CN=example.com/emailAddress=admin@example.com
Validity
Not Before: Sep 30 10:16:34 2012 GMT
Not After : Sep 30 10:16:34 2013 GMT
Subject: C=xx, L=Location, O=Example Pte Ltd, CN=example.com/emailAddress=admin@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c1:c7:0d:7e:b7:48:d3:b8:9a:5a:88:db:c2:91:
...
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
3d:98:0d:f1:1b:06:27:63:09:14:4d:41:37:49:eb:70:15:1c:
...
When viewed through a browser, the certificate field is supposed to contain an extension for the subject alternative name. But it wasn't there. I suppose there could be some problems while generating the cert if this indeed could be achieved.
Best Answer
Yes, it works just fine. You'll commonly see the wildcard as the certificate's Subject in wildcards issued by public certificate authorities, with the base domain as a Subject Alternative Name, but I believe the opposite arrangement works as well.
Take a look at the certificate you've generated - are the alt_names being correctly incorporated into the certificate?