Next, we will generate CSR using private key above AND site-specific copy of OpenSSL config file. openssl genrsa -out 2048 Certificate Signing Request – CSR generation Do not use passphrase as nginx will use this private key. Run following command to generate private key. Make sure you are currently working in cert folder for your site: cd /var/www//cert/ Private Key Now you have your OpenSSL config file ready. Now in common-field, we use version – if SSL is for www and non-www versions of domains. Note: I couldn’t find out whether we need to add domain used in common-name field again here. SubjectAltName = add a new section called towards end of file listing all domain variation you are planning to use. KeyUsage = nonRepudiation, digitalSignature, keyEncipherment # Extensions to add to a certificate request In section, add following line: subjectAltName = will look like:
This will make sure our next section is read/used. If you don’t find a line like above, you can add one. Find add uncomment following line: req_extensions = v3_req Unless you are configuring only one certificate on your server, it’s better to copy OpenSSL config file to website’s cert folder: cp /etc/ssl/openssl.cnf /var/Editing Config File So we will outline process on your server-side only (which should remain common across all Ubuntu server) OpenSSL Config File Copy OpenSSL confīy default, when you are are running OpenSSL commands, it is picking config from /etc/ssl/openssl.cnf file. They have different type of interfaces for CSR signing and certificate generation. altogether different domainsĭifferent companies offers different type of SSL certificates. Please note that most wildcard SSL do not protect your root domain i.e. wildcard (all subdomains) and apex/root/naked domain.If you are trying to setup something else, please ignore this. This tutorial is intended for following types of use case. In this article, we will use “Subject Alternative Names” method. There are 2-ways to setup this (as far as I know) – using Subject Alternative Names and Server Name Indication (SNI) We can change the default configuration of only one program or of all programs that run on the same server.SSL Setup for multiple domains/subdomains is different than single-domain or wildcard domain setup. This process ensures that there are a number of options available to control the defaults in a way that solves a particular need. OpenSSL will look in this folder for a file called openssl.cnf. This step is skipped if the binary has the setuid or setguid flag set.įailing that, check the default system-wide location of the configuration directory specified at compile time. This procedure consists of the following steps:Ĭheck the OPENSSL_CONF environment variable, which is expected to contain a path to the configuration file. On startup, OpenSSL will go through an initialization procedure that attempts to fetch the defaults from the filesystem. In that situation, you can resort to changing the OpenSSL defaults. Occasionally, you’ll run into a problem trying to configure some applications to use OpenSSL in a certain way, only to be frustrated if there are no configuration options to achieve what you need.
0 kommentar(er)
