Strumenti Utente

Strumenti Sito


creating_ssl_certificates_for_multiple_domains_or_subdomains_with_tinyca

What is TinyCa

TynyCa is a great tool to create and manage ssl CAs, certificates and keys, without messing into the technical details of openssl.

It was very easy for me to create a self-signed certificate for my personal website following this tutorial, which also explains how to install in the server (apache) and in the client (firefox) all the required files.

The problem of multiple domains and subdomains

In the linked tutorial, at some point (in the request creation dialog) you have to fill in the “Common Name” for the certificate. This identifies the host for which the certificate will be used.

For instance, for my website pietrobattiston.it, I would just put pietrobattiston.it in this field.

What's the problem? That I may want to use the same certificate for more than one website.

You may think that's generally not particularly smart, since (self-signed) certificates are cheap… but in my case, I wanted my website (the same website!) to be accessed at both https://pietrobattiston.it and https://www.pietrobattiston.it, and it seemed stupid to create two different certificates just to address the possible absence of the “www” prefix. But more in general, it can make sense to use the same certificate for multiple third-level domains.

The solution is provided by OpenSSL with the Subject Alternative Name (or subjectAltName) field in the certificate.

The solution

TinyCA (all this page refers to version 0.7.5) can manage this field, but it is not shown by default, since it is considered “expert mode”. To enable it, click on Preferences → OpenSSL Configuration (yes, just below Experts Only!…) A window will open: click on the Server Certificate Settings tab.

Under “Subject alternative name (subjAltName)”, select “Ask User”, and just below select “DNS Name”.

Click “Apply” and then “OK” to go back to the main window. Now, assuming that you already created your request as described in the tutorial, right-click on it and select “Sign Request” and then “Sign Request (server).1)

In the small dialog that pops up, there is now a field labeled ”Subject alternative name (DNS Name):“: you must write inside it a comma-separated list of all desired hostnames, including the one you already inserted as “Common Name” of the request:2)

So in my case this field had the following value:

pietrobattiston.it,www.pietrobattiston.it

Now enter your CA password, click OK and that's all: you can now proceed to the installation of the certificate, as the tutorial describes.

1)
We are here assuming that you still have to create the corresponding certificate. If the certificate already exists, you have to revoke it first - this means, the server certificate will change, and visitors that manually told, i.e., Firefox to trust it will have to follow that step again.
2)
At least, this is necessary with Firefox 3.5.13 - other browsers may decide to consider the “Common Name” even when the subjAltName is set.
creating_ssl_certificates_for_multiple_domains_or_subdomains_with_tinyca.txt · Ultima modifica: 2011/04/06 08:22 da toobaz