SSL – Use of Server Alternative Name Certificates

By | 30 October, 2012

This procedure is for creating certificates on Windows Clients/Servers and will result in a p12/pfx formatted certificate with private key inside it. (Careful there as you should never have easily copied private keys anywhere…warning over).

1. Download OpenSSL here:

http://www.openssl.org/related/binaries.html directs you to here: http://slproweb.com/products/Win32OpenSSL.html

2. (If required download pre-requisite Visual C++ 2008 runtimes here: http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF)

3. Install OpenSSL (and Runtimes)

4. Create a new Private key….

bin\openssl genrsa -out privkey2.pem 2048

5. Create a new file in the directory you installed OpenSSL in call req.conf and put the following in:

[ req ]
default_bits = 2048
default_keyfile = privkey2.pem
distinguished_name = req_distinguished_name
req_extensions = req_ext # The extentions to add to the self signed cert

[ req_distinguished_name ]
countryName = GB
countryName_default = GB
stateOrProvinceName = SomeCounty
stateOrProvinceName_default = SomeCounty
localityName = SomeCity
localityName_default = SomeCity
organizationName = test
organizationName_default = test
commonName = www.test.com
commonName_max = 64

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = test.test.com
DNS.2 = other.test.com
DNS.3 = www.test.net

6. Generate a certificate request

bin\openssl req -new -nodes -out myreq.csr -config req.conf

7. Send the myreq.csr file to your Certificate Authority of choice….(external providers vary as to whether or not they can support Subject Alternative Name certificates, and having your own CA may have its own issues see here

8. Should recieve a *.cer file back from CA. What I want to do now is be able to use this certificate as a full certificate to protect server side services (in my example IIS). So first we convert to p12 format:

bin\openssl pkcs12 -export -in “SAN test.cer” -inkey privkey2.pem -out test.p12

Now, test.p12 should be a full certificate with private key in it. So we should be able to copy it around if required. (AGAIN WARNING, make sure these certs are stored securely as once a malicious user has a private key they can pretend to be you).

9. Import into Windows Certificate Store:

Start > Run…. MMC.exe
File > Add/Remove snap in….Certificates…Computer Account (Next, Finish)
Personal > Certificates. Right Click, Import find your test.p12 file
Think about if you want to mark the key as exportable (I do in this case as I want to have the full cert chain later in a further created pfx file).
Include all Extended Properties
Place all cert in the following Store (Personal) (Next, Finish)

Now when you double click the certificate, you should see the “You have a private key that corresponds to this certificate” message in the General tab. If the certificate could not be verified, import the CA root chain.

10. Finally for me, I want to create a master PFX file with the certificate private key + all of its trusted chain.

Make sure the chain is complete first then highlight the cert you’re interested in and Right Click, All tasks and export.
Next.
Yes, Export the Private Key
Tick include all certs in the cert path
export all extended properties, Next
Nice secure password, Next
Filename and location, Next
Click Finish

…and that should be it. Now when you configure IIS to use this cert it’ll protect the following https URLs without the SSL dialog box popping up:

test.test.com
other.test.com
www.test.net

Happy encrypting.

Leave a Reply