How to Create a Server Certificate with Configuration using OpenSSL

In this post, I’ll step by step create a server certificate including configurations like subject alternative names and key identifiers.

Modern browsers include several security controls to make sure you are visiting the exact site that you’ve aimed for. SSL certificates have an important role in achieving this. However, not all server certificates are considered safe by the browsers. For example, for Chrome 58 and later, chrome checks for the existence of subject alternative names (subjectAlternativeName extension) in the server’s SSL certificates and if it is not present displays the following error message to let the users know that the connection might not be private.

NET::ERR_CERT_COMMON_NAME_INVALID

Subject Alternative Name Missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

With OpenSSL, you can use the subjectAltName extension to specify the subject alternative name.

We will use the config files while creating the certificates to add the extensions. Let’s start…

Generate the root key:

Execute:

openssl genrsa -out "root-ca.key" 4096