Could someone explain me the difference between these certificates in a simplified way? I read some articles but it sounds like they do the same job, namely encrypting many domains with one certificate.
My Synology NAS is capable of running the web interface via HTTPS. By default, you access the NAS via its name (say, mynas) so http(s)://myname:5001 or http(s)://myname.local. It defaults to an SSL certificate for synology.com.
You can create a new cert using Let's Encrypt; you forward the required ports from your router to your NAS, I created a sub domain from a domain I own and updated the DNS to point towards my home ip. (e.g. home.my-domain-i-own.com)
I was hoping I could enter myname;myname.local as subject alternative names, so I can browse my NAS internally via HTTPS without warning. However, Let's Encrypt doesn't accept domain names it can't validate, apparently.
My question: how to solve the issue I can use a Let's Encrypt cert with my domain mynas.local without any warnings?
I created own Certificate Authority and server (virtualhost) certificate based on this specification: https://jamielinux.com/docs/openssl-certificate-authority/index.html
It's successfully created, it works, but server-certificate not working without "www" prefix.
If I load domain without "www", get an error:
SSL_ERROR_BAD_CERT_DOMAIN
I checked several pages longer, option would have (SAN - Subject Alternative Names), just do not know how to insert the above configuration.
How can I add a Subject Alternate Name when signing a certificate request using OpenSSL (in Windows if that matters)?
I've generated a basic certificate signing request (CSR) from the IIS interface. Now, I'd like to add several subject alternate names, sign it with an existing root certificate, and return the certificate to complete the signing request.
Every tutorial I could find involves generating a new private key and a brand new CSR, however I was under the impression that the private key resides on the requesting computer (which I wouldn't necessarily have access to). I just want to sign the request while adding the alternate names. I'm relatively new to OpenSSL and CA topics so this may be a misunderstanding on my part.
Can any one tell me how I an add a number of Subject Alternate Names to an existing CSR?
I'm not talking about generating a CSR with SANs or adding SANs at signing time - I know how to do both of these things.
Background: The problem we have is that HP blade chassis, allow you to generate CSRs, but they only allow a single SAN. We can't use a CSR generated elsewhere as we could not use the resultant cert as there is no way (that I can find) to upload the key to the blade chassis.
Our CA's standard process does not allow for adding SANs are signing time. They are willing to experiment, however I am trying to find a solution at our end as this will mean we won't have to rely on them having a non standard process for us - in my experience if they need to use a non standard process life will eventually get difficult. E.g. when a staff member who knows the non standard process is not present due to leave etc.
Current method is to connect to the bladechassis onboard admin via the web gui and generate the CSR with a single CN.
The web gui only allows for a single SAN in the CSR.
Then we self sign it with the following stanza in the openssl config:
[ v3_ca ]
subjectAltName = "DNS:bladesystem8,DNS:bladesystem8.services.adelaide.edu.au,DNS:bladesystem8-backup,DNS:bladesystem8-backup.services.adelaide.edu.au"
The resultant cert has the extra SANs.