SSL Certificates with DNS Aliases

At work I have several systems that provide SSL encrypted services but respond to multiple host-names. For instance an LDAP server may be named but have DNS aliases of and If a client system connects to and the server returns an SSL certificate with a common name of ugliness will ensue.

To get around this problem one can install SSL certificates that employ the subjectAltName extension.

To be deployed properly you will need to either be running your own certificate authority (beyond the scope of this document) or using commercially signed certificates. If you are purchasing certificates you should check with your CA first to see if they are willing to sign certificate requests that employ the subjectAltName extension.

Generating the Certificate Signing Request (CSR)

First edit the openss.cnf file (location may vary depending on OS) and add the v3_req extension. Locate the [ req ] section and add

req_extensions = v3_req

Next find the [ v3_req ] section and add a subjectAltName line containing the appropriate DNS names (in this case I will be using, and

subjectAltName = “,, DNS:”

Generate a Private Key

To generate a CSR we need a private key, generated with the following command. This file should never be world readable and needs to be carefully protected.

# ( umask 077; openssl genrsa 2048 > server1-ldap-key.pem )

Generate the CSR

# openssl req -nodes -new -key server1-ldap-key.pem -out server1-ldap-req.pem

Answer the question prompts. When prompted for your Common Name enter the primary host-name of the system.

Signing the CSR

In order to include the extensions in the signed certificate the CA must be configured to copy extensions from the CSR. This is potentially dangerous if you do not fully trust the source of the CSR! You may want to enable it on a per-signing basis.

Locate the openssl.cnf file on your CA. Find the appropriate CA section (usually [ CA_default ]) and add or un-comment the following line:

copy_extensions = copy

Copy the server1-ldap-req.pem file to your CA and sign it with the following command:

# openssl ca -keyfile [path to CA private key] -in server1-ldap-req.pem -out server1-ldap-cert.pem

The presence of the subjectAltName extension can be verified using this command:

# openssl x509 -in server1-ldap-cert.pem -noout -text

Look for the X509v3 Subject Alternative Name: section.

Now just install the certificate and private key as you would with any other certificate/key pair.

A Few File Locations

  • openssl.cnf:
    • Debian Linux: /etc/ssl/openssl.cnf
    • Mac OS X: /System/Library/OpenSSL/openssl.cnf
    • Solaris 10: /etc/sfw/openssl/openssl.cnf

Comments are closed.