Ssl – Apache, SSL, Self signed, Multidomain Certificates

apache-2.2mod-sslsslssl-certificate

Target:

Generate a single SSL Certificate thats valid for

  • domain1.com
  • *.domain1.com
  • domain2.com
  • *.domain2.com

Let it be self signed or a locally-generated CA signed.

Scenario 1

# ssl.conf

[ req ]
default_bits        = 1024
default_keyfile     = server.key
distinguished_name  = req_distinguished_name
req_extensions     = req_ext # The extentions to add to the self signed cert

[ req_distinguished_name ]
countryName           = Country Name (2 letter code)
countryName_default   = US
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Connecticut
localityName            = Locality Name (eg, city)
localityName_default    = Stamford
organizationName        = Organization Name (eg, company)
organizationName_default    = Example, Inc.
commonName            = Common Name (eg, YOUR name)
commonName_max        = 64

[ req_ext ]
subjectAltName          = @alt_names

[alt_names]
DNS.1   = *.domain1.com
DNS.2   = *.domain2.com

CN entered during csr generation:

*.domain1.com

Firefox Error on domain2.com

domain2.com uses an invalid security certificate.

The certificate is not trusted because it is self-signed.
The certificate is only valid for *.domain1.com

(Error code: sec_error_untrusted_issuer)

SSL Cert in plain text:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            e9:59:8a:31:8e:29:df:bf
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=*.domain1.com
        Validity
            Not Before: Oct 27 06:18:28 2010 GMT
            Not After : Oct 24 06:18:28 2020 GMT
        Subject: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=*.domain1.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c9:9c:50:52:be:35:64:98:7a:b9:49:8a:f3:f0:
                    af:52:62:49:2f:d3:a1:a3:d7:78:b1:88:14:e9:b2:
                    52:f1:2a:04:71:76:14:a3:17:d8:15:61:da:de:50:
                    5b:dd:66:74:12:8d:d6:6b:15:94:35:20:7b:cf:e7:
                    32:31:33:d5:f5:b9:12:a5:dc:a6:7d:08:1f:c9:f6:
                    9f:35:4d:46:1d:a0:a9:6e:90:35:0f:21:7d:76:d2:
                    96:41:7c:c9:4a:fd:9d:81:be:89:f6:f4:70:eb:52:
                    56:5d:0c:d5:62:2b:d5:fc:7f:21:0a:9c:e9:19:d5:
                    ad:dc:6b:2b:12:3e:47:3a:ed
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        a1:1f:4f:85:ae:82:52:d0:7e:47:59:fb:d2:17:5c:04:2a:a9:
        28:82:84:71:70:41:8d:61:51:3d:89:a9:0c:b3:a2:fd:f9:ff:
        c6:e4:aa:3a:5b:0f:c5:17:f3:62:4a:78:78:10:bf:45:e6:f4:
        f3:43:3b:dc:26:fd:86:17:fc:f5:e2:1a:ee:fe:76:6e:59:7f:
        b1:38:ad:d8:6d:8e:23:55:39:bc:47:20:c9:a0:f4:db:64:ed:
        5b:b2:bf:44:a6:a9:82:fb:76:b9:87:6c:92:07:42:f6:a3:00:
        c1:58:86:b2:2b:0e:6f:f1:74:4a:08:6f:37:80:02:65:4b:e5:
        0d:a9

Scenario 2:

[ req ]
default_bits        = 1024
default_keyfile     = server.key
distinguished_name  = req_distinguished_name

[ req_distinguished_name ]
countryName           = Country Name (2 letter code)
countryName_default   = US
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Connecticut
localityName            = Locality Name (eg, city)
localityName_default    = Stamford
organizationName        = Organization Name (eg, company)
organizationName_default    = Example, Inc.
0.commonName            = Common Name (eg, YOUR name)
0.commonName_default    = *.domain1.com
0.commonName_max        = 64
1.commonName            = Common Name (eg, YOUR name)
1.commonName_default    = *.domain2.com
1.commonName_max        = 64

FirefoxOutput in this case:

domain1.com uses an invalid security certificate.

The certificate is not trusted because it is self-signed.
The certificate is only valid for *.domain2.com

Plain Text SSL Cert output:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            80:b5:78:8a:27:0e:e5:b8
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=*.domain1.com, CN=*.domain2.com
        Validity
            Not Before: Oct 27 06:05:40 2010 GMT
            Not After : Oct 24 06:05:40 2020 GMT
        Subject: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=*.domain1.com, CN=*.domain2.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:e8:f6:a6:ef:a7:68:cd:5d:99:d8:5a:7d:9e:23:
                    4e:9f:67:f8:e0:20:8a:5c:ad:5f:1f:71:63:66:cf:
                    34:7d:c8:21:86:65:3b:07:ed:27:4c:f8:55:08:7e:
                    67:5e:c3:e9:53:0c:44:3f:1f:e8:f9:85:24:6e:60:
                    c6:98:b4:f0:13:85:46:23:c3:bf:ec:3c:5b:0d:cb:
                    bd:8a:67:c3:a6:fe:d2:27:de:38:60:23:fd:12:9d:
                    95:1a:38:c6:bc:81:57:bb:c1:1a:60:1a:79:c9:f1:
                    d9:e4:a0:2d:a1:6e:c6:12:e7:2a:e2:76:d7:56:89:
                    a9:77:ce:7e:d1:d6:b8:28:1b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        41:82:a7:c1:f2:11:e6:04:a8:7b:58:3c:47:ac:af:d9:46:48:
        87:24:c4:f2:fe:94:94:5f:6c:54:17:51:26:73:0b:fb:97:74:
        82:47:1d:7f:b8:63:ca:6c:49:e6:36:86:bf:7d:60:7a:74:c0:
        41:43:2a:35:7a:67:11:2b:cc:91:4e:5e:d4:23:9e:2b:a7:ad:
        35:af:90:82:7e:33:ac:36:f7:c4:46:fc:81:55:f4:3f:75:04:
        67:07:cb:8f:2b:3c:07:c0:a2:61:bc:f1:aa:fe:b3:26:c9:dc:
        a1:a1:6a:e6:81:95:1f:a9:36:33:bb:b0:04:45:69:cf:51:9d:
        8d:45

Vhosts

<VirtualHost 127.0.1.3:443>
        ServerName domain1.com
        ServerAlias www.domain1.com
        ServerAlias www1.domain1.com
        ServerAlias www2.domain1.com
        ServerAdmin webmaster@domain1.com
        DocumentRoot /var/www/ssltest/domain1/


        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl-files/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl-files/server.key


        ErrorLog /var/log/apache2/domain1.com-error_log
        CustomLog /var/log/apache2/domain1.com-access_log common


</VirtualHost>


<VirtualHost 127.0.1.2:443>
        ServerName domain2.com
        ServerAlias www.domain2.com
        ServerAlias www1.domain2.com
        ServerAlias www2.domain2.com
        ServerAdmin webmaster@domain2.com
        DocumentRoot /var/www/ssltest/domain2/


        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl-files/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl-files/server.key


        ErrorLog /var/log/apache2/domain2.com-error_log
        CustomLog /var/log/apache2/domain2.com-access_log common


</VirtualHost>

Also in each Scenario, Firefox complains:

domain1.com uses an invalid security certificate.

The certificate is not trusted because it is self-signed.
The certificate is only valid for *.domain1.com

(Error code: sec_error_untrusted_issuer)

if i visit https://domain1.com instead of those ServerAliases inside vhost config

Best Answer

My apologies if I missed some detail that makes this totally wrong (I've got limited time right now, I'll read it all in detail later). Looks like you're trying to issue a cert with multiple wildcards; that's invalid for almost all browsers.

Related Topic