Always start by create a private key per server (or name), this key should be create only once (and should be valid for 10 years):
openssl genrsa -out servername.domain.extension.key 2048
This command will output:
Generating RSA private key, 2048 bit long modulus (2 primes) ...................+++++ ..........................................................................................................................................+++++ e is 65537 (0x010001)
Move this key to:
/etc/apache2/ssl/
You may need to create the folder and grant READ access to www-data user (or httpd)
We will also install all required certificates in this folder
as we use virtualhost, we need to mitigate also SAN attribute.
Generate SAN attribute within the CSR. Create additional config file, one by hostname, since attributes are embedded within a .conf file:
mywebname.conf:
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = BE stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Brussels localityName = Locality Name (eg, city) localityName_default = Brussels organizationName = Organization Name (eg, company) organizationName_default = Your Organisation commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = //virtualhostname//.domain.extension #DNS.2 = xxxxxxx #IP.1 = xx.yy.zz.aa #IP.2 = ....
Invoque openssl to create the CSR file with this configuration
# openssl req -new -sha256 -config mywebname.conf -key servername.domain.extension.key -out virtualhostname.domain.extension.csr
Request « classic CSR », but specify SAN as extension via the addext command:
# openssl req -new -sha256 -key servername.domain.extension.key -out virtualhostname.domain.extension.csr -addext "subjectAltName = DNS:virtualhostname.domain.extension"
Fill the query:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:BE State or Province Name (full name) [Some-State]:Brussels Locality Name (eg, city) []:Brussels Organization Name (eg, company) [Internet Widgits Pty Ltd]:Nox-Rhea Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:hostname.domain.extension Email Address []:contact@domain.extension Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Native Microsoft CA server may not generate certiifcates WITH SAN attributes (that’s an optional features not enabled by default on 2008 CA servers).
In this cas you can enable it following thoses steps:
Go to microsoft CA server :
https://Your-CA-Server.domain.extension/certsrv/
then choose:
Past CSR’s file content
If you've opted for Method #1:
Select template « webserver »
Click « submit »
If you've opted for Method #2 :
Select template « webserver »
Within « additional Attributes:” type:
san:dns=My_Virtual_Name.domain.extension
Click « submit »
Download Certificate as base64 file
Choose « Download Certificate »
You can download your CA on the CA server's home page.
Choose certificate and download it as Base64 :
Change site's configuration file (generally locate in /etc/apache2/sites-available/)
# SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLCertificateFile /etc/apache2/ssl/AD-Certificates.domain.extension.crt SSLCertificateKeyFile /etc/apache2/ssl/GeneratedKey.domain.extension.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. SSLCertificateChainFile /etc/apache2/ssl/LWWK-CA.crt