SSL - Générer une CSR multidomaines
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Introduction
Un Subject Alternative Name (SAN) est une extension de la norme X509, cela permet d'ajouter des informations additionnelles dans un certificat.
Ca permet par exemple de créer un certificat valable pour plusieurs domaines.
Déroulé
Nous allons voir comment générer une Certificate Signing Request (CSR) pour un certificat SSL de type SAN :
# openssl req -new -sha256 -nodes -out \[NOM_DE_MON_FICHIER_CSR].csr -newkey rsa:2048 -keyout \[NOM_DE_MON_FICHIER_KEY].key -config <( cat <<-EOF [req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C = [PAYS] ST = [ETAT/DEPARTEMENT] L = [VILLE] O = [SOCIETE] OU = [DEPARTEMENT_DANS_LA_SOCIETE] CN = [NOM_DE_DOMAINE_PRINCIPAL] [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = [NOM_DE_DOMAINE_PRINCIPAL] DNS.2 = [AUTRE_NOM_DE_DOMAINE] ... DNS.X = [AUTRE_NOM_DE_DOMAINE_X] EOF )
La CSR générée comportera alors tous les nom de domaines précisés, exemple :
# openssl req -new -sha256 -nodes -out \test.com.csr -newkey rsa:2048 -keyout \test.com.key -config <( cat <<-EOF [req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C = FR ST = Ile-de-France L = Boulogne-Billancourt O = Ikoula OU = IT CN = test.com [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = test.com DNS.2 = www.test.com DNS.3 = test.fr DNS.4 = www.test.fr EOF ) Generating a RSA private key .................................+++++ .....+++++ writing new private key to 'test.com.key' -----
Après vérification on voir bien nos 4 domaines en Subject Alternative Name :
# openssl req -text -noout -verify -in test.com.csr
verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = FR, ST = Ile-de-France, L = Boulogne-Billancourt, O = Ikoula, OU = IT, CN = test.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c1:63:b1:b3:9d:5a:84:e7:64:db:a5:c5:c0:3d:
c4:73:1b:e0:18:bc:e8:7f:32:0b:83:6c:ee:b1:c9:
2a:ee:c4:2b:7d:7e:65:93:7d:ba:7c:f6:7a:8f:cd:
0d:da:e4:42:db:72:ce:ba:59:04:0b:6b:d2:ff:3f:
81:3d:04:28:8e:2e:db:9b:87:c1:ba:c3:50:94:fa:
42:8c:cc:d4:44:54:78:22:e8:25:6e:7f:de:5f:92:
f5:f2:15:3a:a8:a6:0c:bb:7e:44:66:2d:93:04:33:
7b:f8:a7:37:77:8e:97:9e:fc:fb:d6:dc:8e:80:de:
7f:57:34:9a:b9:45:61:ba:e0:9b:9a:99:ef:e8:37:
dd:d8:6c:3d:a2:9b:e7:f7:d0:1c:e2:14:ce:14:61:
93:d1:74:39:ac:1e:87:65:48:40:a7:04:6e:bc:7b:
0d:c7:6f:87:1f:88:f2:bb:be:50:23:07:33:b5:1f:
c8:09:c5:9f:f8:83:db:2b:8a:4f:e3:4b:ab:d7:e6:
e0:e0:c4:bc:c6:1f:63:d2:5b:39:28:a0:98:ce:6f:
fc:f3:aa:7e:fe:a8:5e:f4:81:1f:7f:8d:a1:51:57:
87:e3:95:02:43:d5:c4:b0:5f:bd:ea:96:53:81:45:
46:91:b6:15:83:98:8f:00:40:70:30:3f:12:25:60:
8f:b9
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:test.com, DNS:www.test.com, DNS:test.fr, DNS:www.test.fr
Signature Algorithm: sha256WithRSAEncryption
40:4d:1c:cb:cb:b4:86:c9:7a:b1:8d:42:38:f4:d2:a8:2a:1f:
f3:f9:78:bd:24:c1:88:61:c6:66:7d:2a:87:7e:57:b5:a6:46:
73:aa:c3:89:e1:aa:3b:4e:cf:19:d3:fb:89:d9:9b:c1:a8:10:
8f:86:db:41:20:c9:66:bc:fd:0c:94:34:24:85:72:0d:58:47:
b0:e9:83:fa:29:65:f1:6b:c8:d1:eb:f7:29:5b:4d:35:00:f5:
b8:a7:b2:d3:78:29:4e:93:b6:84:8e:2f:cb:3f:3f:45:16:9b:
a7:62:9d:a5:25:35:71:4a:e7:e2:65:54:c7:c3:9b:89:02:b2:
18:77:05:31:4e:b9:4e:32:9f:22:d3:44:fe:da:9a:3f:ab:ac:
97:d8:31:d5:0a:28:2e:ad:02:bc:d1:98:2f:63:f6:c4:94:a1:
a1:bb:92:c9:33:d0:50:51:6f:a6:b3:7e:8b:1e:a3:ac:72:02:
44:fa:69:45:a7:cd:8c:da:78:8d:71:7b:58:7c:e1:af:dc:de:
36:76:b1:e8:41:b7:5f:88:ec:7b:bb:e0:a8:e5:d0:2d:bc:8c:
cc:fb:d4:25:bd:06:e2:6a:bb:fe:81:fa:fc:35:b9:12:86:0f:
32:69:db:f9:08:aa:bf:22:eb:40:b3:6c:4a:f5:8e:8a:ca:b8:
f5:14:dd:5b
Cet article vous a semblé utile ?
0
Activer l'actualisation automatique des commentaires