5

I am trying to generate a self-signed SSL certificate to secure both example.com and *.example.com. Looking at the answers to this and this questions, there seems to be an equal number of people agreeing and disagreeing whether this could be done. However, the website from a certification authority seems to suggest that it could be done.

Currently, these are the changes added to my openssl configuration file:

[req]
req_extensions = v3_req

[req_distinguished_name]
commonName = example.com

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = *.example.com

I tried the above configuration and generated a certificate. When navigating to https://example.com, it produces the usual warning that the cert is "self-signed". After acceptance, I navigate to https://abc.example.com and an additional warning is produced, saying that the certificate is only valid for example.com.

The certificate details only listed example.com in the certificate hierarchy with no signs of any wildcard subdomain being present.

I am not sure whether this is due to a misconfiguration or that the common name should have a wildcard or that this could not be done.

Further Update:

This is what I get by viewing the certificate request with openssl:

# openssl req -text -noout -in eg.csr
Certificate Request:
 Data:
  Version: 0 (0x0)
  Subject: C=xx, L=Location, O=Example Pte Ltd, CN=example.com/emailAddress=admin@example.com
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  Public-Key: (1024 bit)
  Modulus:
   00:c1:c7:0d:7e:b7:48:d3:b8:9a:5a:88:db:c2:91:
   ...
  Exponent: 65537 (0x10001)
  Attributes:
  Requested Extensions:
   X509v3 Basic Constraints: 
    CA:FALSE
   X509v3 Key Usage: 
    Digital Signature, Non Repudiation, Key Encipherment
   X509v3 Subject Alternative Name: 
    DNS:example.com, DNS:*.example.com
  Signature Algorithm: sha1WithRSAEncryption
   4d:4a:8a:d9:32:e2:31:c5:6c:8c:6a:2a:a6:c3:17:63:dd:a4:
   ...

And this is what I get by viewing the cert:

# openssl x509 -in eg.crt -noout -text
Certificate:
 Data:
  Version: 1 (0x0)
  Serial Number:
   d0:9e:b3:d5:83:b5:a1:0d
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=xx, L=Location, O=Example Pte Ltd, CN=example.com/emailAddress=admin@example.com
  Validity
   Not Before: Sep 30 10:16:34 2012 GMT
   Not After : Sep 30 10:16:34 2013 GMT
  Subject: C=xx, L=Location, O=Example Pte Ltd, CN=example.com/emailAddress=admin@example.com
  Subject Public Key Info:
   Public Key Algorithm: rsaEncryption
   Public-Key: (1024 bit)
   Modulus:
    00:c1:c7:0d:7e:b7:48:d3:b8:9a:5a:88:db:c2:91:
    ...
  Exponent: 65537 (0x10001)
  Signature Algorithm: sha1WithRSAEncryption
   3d:98:0d:f1:1b:06:27:63:09:14:4d:41:37:49:eb:70:15:1c:
   ...

When viewed through a browser, the certificate field is supposed to contain an extension for the subject alternative name. But it wasn't there. I suppose there could be some problems while generating the cert if this indeed could be achieved.

Community
  • 1
Question Overflow
  • 2,023
  • 7
  • 28
  • 44

1 Answers1

2

Yes, it works just fine. You'll commonly see the wildcard as the certificate's Subject in wildcards issued by public certificate authorities, with the base domain as a Subject Alternative Name, but I believe the opposite arrangement works as well.

Take a look at the certificate you've generated - are the alt_names being correctly incorporated into the certificate?

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Under the Subject heading in the certificate field, I don't see any wildcards or subject alternative name. I only have the usual fields E, CN, O, L, C.. Where do I find those on the cert? – Question Overflow Sep 30 '12 at 07:53
  • @QuestionOverflow What tool or interface are you using to look at it? – Shane Madden Sep 30 '12 at 08:14
  • I am using the web browsers Firefox and Google Chrome to view the certificate. Also, if it is working fine, why is this additional warning (the certificate is only valid for example.com) emitted? – Question Overflow Sep 30 '12 at 08:26
  • @QuestionOverflow I'm not saying that your certificate is working fine, I'm saying that it works when deployed correctly. I believe you're missing the Subject Alternative Name field on the certificate you're generating. What command are you using to issue the cert? – Shane Madden Sep 30 '12 at 21:24
  • Yes, you are right. It has got to do with the command. – Question Overflow Oct 01 '12 at 03:56
  • 1
    @QuestionOverflow, please let us know how you fixed the problem! – Jordan Reiter Jul 13 '15 at 18:07