In general, SSL certificates are used to validate a single domain. However, some practical requirements force you to think about securing multiple domains with a single certificate. If you are a beginner, you are searching for the solution to this problem. Then you are at the right place. The short answer to this is, yes, you can secure multiple domains with a single certificate. To acquire an SSL certificate that secures multiple domains, you should generate a CSR (Certificate Signing Request) for your multi-domain certificate to submit to the CA to sign. After you read this post, you will be in a position to answer how to generate a CSR for a multi-domain SSL certificate using OpenSSL.
Before you go ahead, we encourage you to learn about the different types of certificates if you have time.
Table of Contents
What Is A Multi-Domain/SAN Certificate?
Multi-domain certificates are certificates that can be used to validate more than one domain name. They are also known by two other names. 1. UCC, which stands for “unified communication certificate,” and 2. SAN (which stands for “subject alternative name”) certificates.
Well, suppose you ever created a Certificate Signing Request for a single domain certificate. In that case, you might be aware of the ‘common name’ field, which contains a Fully Qualified Domain Name (FQDN) for which the certificate is created. Well, if you think you will have multiple common names in a single SSL certificate, you are wrong. You will have only one common name, which is the primary domain of the certificate. In addition to that, you will have multiple Subject Alternative Names (SAN) or Alt Name or DNS Name in the certificate. Each SAN will serve as a common name. That’s why it is also called SAN certificate.
Let’s see an example of a multi-domain or SAN certificate:
If you create a certificate with this information, the certificate will secure all four domains. The same certificate can be used for any of the four domains.
CN (Common Name) = example.com
DNS 1 = www.example.com
DNS 2 = mydomain.com
DNS 3 = exampledomain.com
What Is The Maximum Number Of SAN Are Allowed In A SSL Certificate?
Different Certificate Authorities have specified different maximum limits. Windows Certificate Authority has set the limit up to 4 Kb. However, RFC5280 Section 4.2.1. doesn’t specify the maximum limit. the range is defined as 1…MAX. The value of MAX is not specified.
How To Generate A CSR for Multi-Domain SSL Certificates?
Let’s see how to generate a CSR for the certificate, which can be used to secure multiple domains. Let learn how to add multiple SAN or DNS, or Alt Names to the CSR using OpenSSL.
Time needed: 15 minutes.
How to add multiple SAN or DNS, or Alt Names to the CSR using OpenSSL?
- Create a copy of OpenSSL config file
Create a copy of the existing config file. The existing OpenSSL config file will be at /etc/ssl/openssl.cnf or /usr/lib/ssl/openssl.cnf.
Use the cp command to take a copy of the config file:
# cp /etc/ssl/openssl.cnf /home/arunkl/multi-domain-site/
- Edit the config file and enable [ v3_req ]
Use your choice of editors to edit the config file. We use nano in this demonstration.
# nano /home/arunkl/multi-domain-site/openssl.cnf
Look for the [ req ] section. Uncomment the following line: If you don’t see the line, add it under the [ req ]. This will direct OpenSSL to read the[ v3_req ]section.
req_extensions = v3_req
- Enable SubjectAltName under [ v3_req ] section
Scroll down until you see [ v3_req ] and add the following line: This will direct the config file to read alt names.
subjectAltName = @alt_names
- Add Alt Name or SAN names in the config file
Create a new section [ alt_names ] at the bottom of the config file. Add SAN or DNS or Alt names like this.
[ alt_names ]
DNS.1 = www.exampledomain.com
DNS.2 = exampledomain.com
DNS.3 = thesecmaster.local
DNS.4 = mydomain.local
Note: Do not add the domain name used in the common name field again.
Now you are done with the creation of the config file. Hit Ctrl + o to save the config file and Ctrl + x to exit.
- Generate the private key
Run this command to create a private key for your certificate. Do not use a passphrase as Nginx will have to use this private key.
# openssl genrsa -out example.com.key 2048
- Generate the CSR for multi-domain or SAN certificate
Create the CSR importing the private key and the config file created in the previous sections.
# openssl req -new -key example.com.key -out example.com.csr -config example.com.cnf
- Test the CSR
Test the CSR with the following command:
# openssl req -in example.com.csr -noout -text
The CSR is ready to submit to the Certificate Authority.
This is how you can generate a CSR for a multi-domain SSL certificate.
Thanks for reading the tutorial post. Please let us know if you have any difficulties in generating a CSR for a multi-domain SSL certificate. Follow us on Facebook, LinkedIn, Twitter, Telegram, Tumblr, and Medium.
Frequently Asked Questions:
A CSR is a block of encoded text that contains information about the entity applying for an SSL certificate. It is generated on the server where the SSL certificate will be installed and includes the public key of the server. The CSR is submitted to a Certificate Authority (CA) for validation and issuance of the SSL certificate.
A multi-domain SSL certificate, also known as a SAN (Subject Alternative Name) or UCC (Unified Communications Certificate), allows multiple domain names to be secured under a single SSL certificate. It simplifies certificate management by consolidating the security of different domains, subdomains, or IP addresses into one certificate.
OpenSSL is a widely-used open-source toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It is also a general-purpose cryptography library that provides cryptographic functionality, such as the ability to generate CSRs and SSL certificates.
Yes, you can use OpenSSL to generate a CSR for a multi-domain SSL certificate. The provided guide demonstrates the step-by-step procedure to create a CSR using OpenSSL that includes multiple domain names.
When generating a CSR, you need to provide the following information:
1. Common Name (CN): The primary domain you want to secure (e.g., example.com)
2. Organization Name (O): The full legal name of your organization
3. Organizational Unit (OU): The department or division within your organization responsible for the certificate
4. Locality Name (L): The city or locality where your organization is located
5. State or Province Name (ST): The state or province where your organization is located
6. Country Name (C): The two-letter country code where your organization is based
To add multiple domain names to your CSR using OpenSSL, you need to create a configuration file that includes the domain names as SAN entries. In the configuration file, add the additional domain names under the [alt_names] section by specifying them as DNS.#=domain.com, where # is a unique number for each domain.
Yes, you can use a wildcard domain in a multi-domain SSL certificate. A wildcard domain allows you to secure all subdomains under a primary domain (e.g., *.example.com will cover blog.example.com, shop.example.com, etc.). When generating a CSR for a multi-domain SSL certificate, specify the wildcard domain as one of the SAN entries.
After generating the CSR using OpenSSL, you can submit it to a CA of your choice. The submission process may vary depending on the CA, but typically involves creating an account, selecting the type of SSL certificate you want to purchase, and pasting the CSR into a designated field during the ordering process.
After receiving the multi-domain SSL certificate from the CA, you need to install it on your server. The installation process depends on the web server software you are using (e.g., Apache, Nginx, IIS). Refer to the documentation specific to your web server for detailed installation instructions.
Yes, you can add or remove domain names from your multi-domain SSL certificate after it has been issued. However, you will need to go through the following steps:
1. Generate a new CSR that includes the updated list of domain names you want to secure.
2. Submit the new CSR to your Certificate Authority (CA) to reissue the SSL certificate with the updated domain list.
3. Reinstall the reissued SSL certificate on your server, following the installation instructions specific to your web server software.
Keep in mind that you may need to repeat the domain validation process for any newly added domain names, and the reissue process may incur additional fees depending on your CA’s policies.
Yes, you can use a multi-domain SSL certificate on multiple servers, provided that the servers are hosting the domain names specified in the SSL certificate. To do so, you will need to install the certificate and the associated private key on each server.
The validity period of a multi-domain SSL certificate can vary depending on the Certificate Authority (CA) and the specific certificate type. However, most multi-domain SSL certificates have a maximum validity period of two years. Keep in mind that you will need to renew the SSL certificate before it expires to maintain the security of your domain names.
Some benefits of using a multi-domain SSL certificate include:
1. Simplified certificate management: You can secure multiple domain names, subdomains, or IP addresses with a single certificate, reducing the administrative overhead of managing multiple SSL certificates.
2. Cost savings: Purchasing a multi-domain SSL certificate can be more cost-effective than buying individual SSL certificates for each domain name.
3. Flexibility: You can easily add or remove domain names from your multi-domain SSL certificate as needed, allowing you to adapt to changes in your organization’s online presence.
4. Improved security: By using a single SSL certificate for multiple domains, you can streamline the process of ensuring that all your domain names are encrypted and secure.
To renew a multi-domain SSL certificate, you will need to follow these steps:
1. Generate a new CSR (Certificate Signing Request) for the domain names you want to secure. Ensure that the CSR includes all the domain names that were part of the original certificate and any new ones you want to add.
2. Submit the new CSR to your Certificate Authority (CA), requesting a renewal of your existing multi-domain SSL certificate.
3. Complete the domain validation process for each domain name included in the certificate, as required by the CA.
4. Once the CA has issued the renewed certificate, install it on your server, following the specific installation instructions for your web server software.
5. Verify that the renewed certificate is functioning correctly by checking the secure connections for each domain name.
If your multi-domain SSL certificate expires, web browsers and other clients connecting to your domain names will display a security warning, indicating that the connection is not secure. This can lead to a loss of trust from your visitors and potentially result in lost sales or conversions. To avoid this, it is essential to monitor your SSL certificate’s expiration date and renew it before it expires.
Transferring a multi-domain SSL certificate from one CA to another is not possible. If you want to switch CAs, you will need to purchase a new multi-domain SSL certificate from the desired CA and go through the domain validation process again. Once you have the new certificate, install it on your server and replace the existing certificate from the previous CA.
Upgrading a single-domain SSL certificate to a multi-domain SSL certificate is not possible. Instead, you will need to purchase a new multi-domain SSL certificate, generate a CSR that includes all the domain names you want to secure, and submit it to your Certificate Authority (CA). After completing the domain validation process and receiving the multi-domain SSL certificate, you can install it on your server, replacing the single-domain SSL certificate.
The maximum number of domain names that a multi-domain SSL certificate can secure varies depending on the Certificate Authority (CA) and the specific certificate product. Typically, a multi-domain SSL certificate can secure between 25 and 100 domain names. Some CAs offer the option to add more domain names through the purchase of additional Subject Alternative Name (SAN) slots.
Hi everyone!
can you please help me with below error
openssl req -new -key example.com.key -out example.com.csr -config example.com.cnf
error on line -1 of example.com.cnf
139956674074512:error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen('example.com.cnf','rb')
139956674074512:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:182:
139956674074512:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:195:
I followed the steps as mentioned
but when I try to run 6th step facing this error
Hi Shenba,
Try this command:
openssl req -new -key example.com.key -out example.com.csr -config opnssl.cnf.
The error shows that there is no such file exist by the name “example.com.cnf”.