Skip to content

Subject Alternative Names for SSL

Last time I blogged about SSL and host-headers I was convinced it is only possible to host multiple SSL sites on one IP address when using a wildcard certifcate. I think I was right at the time, and now comes along Unified Communications UC SSL Certificates (aka Subject Alternative Name).

Same issue as before: host-headers enable you to host several websites on a single IP address. We run into a problem with several SSL certificates on one IP address. The first message a server sends in the SSL handshake contains relevant certificate, the server can only determine which certificate by IP address / port. If there is only one certificate to serve – no need to make a decision!  Here we can serve a UC SSL certificate which is accepted by the web browser for multiple domain names.

I felt like trying this myself, extra curious to know what the certificate will look like in a browser. Managed to get this working in OpenSSL using a combination of two articles:

  1. Creating a Self-Signed Certificate using OpenSSL for use with Microsoft Internet Information Services (IIS) 5
  2. Creating a Certificate With Multiple Hostnames

Follow the steps for creating a CA in the first article. Grab the CA and import it into your IIS box. Switch over to the second article and add the changes to the openssl.cfg

[ CA_default ]
copy_extensions = copy

[ req ]
req_extensions = v3_req

[ v3_req ]

# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# Some CAs do not yet support subjectAltName in CSRs.
# Instead the additional names are form entries on web
# pages where one requests the certificate...
subjectAltName          = @alt_names

DNS.1   =
DNS.2   =

Create a key for the multi domain certificate. Here we are skipping the “create CSR on IIS” step, and creating the key in OpenSSL.

openssl genrsa -des3 -out keys\multi.key 1024

Create a certificate request

openssl req -new -out requests\multi.txt -key keys\multi.key

Sign the certificate request

openssl.exe ca -policy policy_anything -cert certs\ca.cer -in requests\multi.txt -keyfile keys\ca.key -out multi.cer

Export the certificate AND private key (usually the private key would already be on in IIS box if you created the CSR in IIS)

openssl.exe pkcs12 -export -out multi.pfx -in multi.cer -inkey keys\multi.key

You now have a UC SSL cert you can install on the IIS box. By default IIS won’t allow you to enter a host-header when you are setting the SSL binding. There’s a little trick from this article: Using Host Headers and SLL in IIS 7 – give the certificate a friendly name starting with ‘*’!

And what does the certificate look like? Here it is, in IE and FF:

Post a Comment

Your email is never published nor shared. Required fields are marked *