[How-to] Simple way of generating Wildcard/SAN SSL CSRs for Product Managers

Image for post
Image for post

I recently came across a situation where I had to generate CSRs for a single, wildcard & SAN SSL certificates. And while I maintain that as Product Managers we have to prioritize our workload, sometimes, to speed things up, we need to get our hands dirty.

Before we jump into the details, we should know the differences amongst SSL types:

1. Single-name SSL Certificates

Example: If you purchase single-name SSL Certificate for www.xyz.com, it doesn’t mean you can secure mail.xyz.com.

2. Wildcard SSL Certificates

Example: If you purchase a certificate for www.xyz.com, it will secure career.xyz.com, help.xyz.com, etc. It will work on any subdomain. However, it will not secure abc.pro.xyz.com.

3. Unified SSL Certificates/Multi-Domain SSL Certificates/SAN Certificates

Note: The instructions are for Mac. Running Mojave.

Prerequisite — Installing Openssl on your system

Using Homebrew for Mac

This is the simplest way to do this. Simply open your terminal (iTerm?)and type this:

brew install openssl

If you’re stuck on homebrew update, you can bypass the update by typing this:

HOMEBREW_NO_AUTO_UPDATE=1 brew install openssl

However, it is always advisable that you keep your formulas (formulae?) updated.

Generating a single domain CSR for SSL

openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out generated.csr 

After pressing enter, you’ll be prompted with the following:

  1. Country Name (2 letter code)
    Use your 2 char country code (USA is US, India is IN, UAE is AE etc.)
  2. State or Province Name (full name)
    State in which your org is in… Dubai, Texas, Maharashtra etc.
  3. Locality Name (eg, city)
    City name.
  4. Organization Name (eg, company)
    Company name — usually this has to be the same as the domain. E.g. if you’re making a CSR for Nike, the organization name should have Nike in it.
  5. Organizational Unit Name (eg, section)
    Your team in the organization. Could be “IT dept”, “Product Team” etc.
  6. Common Name (eg, fully qualified host name)
    Domain name. In our case, websiteurl.com.
  7. Email Address
    Your email address — try to use your official email id here.
  8. Password
    Leave it blank.

After this, your screen should be like this:

Image for post
Image for post

A simple ls -l will show you the folder contents. You’ll find a ‘generated.csr’ file, which you’ll need to upload to the SSL provider to generate the final certificate. The private.key will have to be uploaded eventually to the server where you’ll install the certificate.

Generating a wildcard domain CSR for SSL

Note that your wildcard SSL will not support multiple sub-domains, i.e., the SSL certificate will verify bar.websiteurl.com but not foo.bar.websiteurl.com. That’s the issue with wildcard SSLs — they say wildcard, but really it’s only one level down.

Generating a SAN CSR for SSL

Step 1 — Create a configuration file

$ mkdir san
$ cd san
$ touch ssl.conf
$ open -a TextEdit ssl.conf

A file would have opened in TextEdit. Enter the values below:

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = AE
countryName_default = AE
stateOrProvinceName = Dubai
stateOrProvinceName_default = Dubai
localityName = Dubai
localityName_default = Dubai
organizationName = YourOrganizationName
organizationName_default = YourOrganizationName
commonName = websiteurl.com
commonName_max = 64
commonName_default = websiteurl.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = websiteurl.com
DNS.2 = www.websiteurl.com
DNS.3 = foo.websiteurl.com
DNS.4 = bar.foo.websiteurl.com
DNS.5 = websiteurl.net
DNS.6 = foo.websiteurl.net
DNS.7 = bar.websiteurl.net

Notes:

  1. SAN certificates cover more than just your domain. You can add other domains, up to a max of 250. Use the DNS.# to add all possible domains & sub-domains.
  2. The common name (CN) is the main domain you want to verify. Ensure that this domain is also under [alt_names] (DNS.#).

Save this file.

Step 2 — Generate private key

$ openssl genrsa -out private.key 4096

This generates the private.key for you.

Step 3 — Generate CSR

$ openssl req -new -sha256 -out private.csr -key private.key  
-config ssl.conf

Again, you’ll get the same options as earlier. Since your ssl.conf has the values already setup, keep pressing enter.

The CSR (private.csr) will now be generated.

Image for post
Image for post

Verification of CSR

Image for post
Image for post

Essential to note the Common Name & the Subject Alternative Name (for SAN) — making sure that the SAN has the Common Name in it.

For a single SSL:

Image for post
Image for post

For wildcard:

Image for post
Image for post

And that’s that!

Thank you for reading. Do note that this isn’t the technical version of the process — you might have errors due to some specific SSL generation request that might require some specific requirements. Consult your nearest developer!

Written by

Simplifying Complexities for a Living | rkakodker.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store