-
Notifications
You must be signed in to change notification settings - Fork 23
Get a certificate for multiple domains
This scenario describes step-by-step how to obtain a certificate for the following domains:
example.com, www.example.com, admin.example.com and www.admin.example.com.
Requirements:
- PJAC
- OpenSSL binaries (https://www.openssl.org/).
Our CA is Let's Encrypt (we don't specify a server URL, so PJAC uses the builtin default of Let's Encrypt's production server). We use HTTP01 authentication in this scenario. For simplicity, we assume that on the machine PJAC and OpenSSL are executed on we already have a webserver running. The webserver is configured to serve content over HTTP (port 80) for all above mentioned domains from a single document root /var/www/.
ℹ️ If you don't already have a webserver running see a simple way to run a webserver on Linux for instructions on how to quickly set up a (temporary) webserver.
All files will be saved to /etc/pjac/ and a copy of the default OpenSSL configuration file (openssl.conf) was made in that directory. Also, the subdirectories /etc/pjac/workdir, /etc/pjac/certdir and /var/www/.well-known/acme-challenge were made beforehand.
-
Generate a CA user account key:
openssl genrsa -out /etc/pjac/account.key 2048ℹ️ We generate a 2048-bit key here. Let’s Encrypt accepts RSA keys from 2048 to 4096 bits in length, and P-256 and P-384 ECDSA keys for both account keys and certificate keys. Note that you can’t reuse an account key as a certificate key.
-
Generate a private domain key:
openssl genrsa -out /etc/pjac/example.com.key 2048 -
Configure OpenSSL to use alternative domain names:
If you have only one domain name you can skip this step and proceed to step 4.You have to specify the alternative domain names in the OpenSSL configuration file for generation of a proper CSR (step 4).
Edit/etc/pjac/openssl.cnfand set/change the following parameters:[ req ] req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = www.example.com DNS.2 = admin.example.com DNS.3 = www.admin.example.com❗ Important
Add only alternative names to the section[alt_names], do not put your main domain (i.e.example.com) in your[alt_names]section. -
Generate a Certificate Signing Request (CSR) based on the private domain key:
openssl req -config /etc/pjac/openssl.cnf -new -key /etc/pjac/example.com.key -sha256 -nodes -subj "/C=US/ST=Delaware/L=Wilmington/O=My company /OU=IT Department/CN=example.com/[email protected]" -outform PEM -out /etc/pjac/example.com.csr -
Register your CA user account (notice that we agree to Subscriber Agreement but it is suggested to read it before agreeing):
java -jar acme_client.jar --command register -a /etc/pjac/account.key --with-agreement-update --email [email protected] -
Request a certificate order and download HTTP01 challenges:
java -jar acme_client.jar --command order-certificate -a /etc/pjac/account.key -w /etc/pjac/workdir/ -c /etc/pjac/example.com.csr --well-known-dir /var/www/.well-known/acme-challenge --one-dir-for-well-knownFor each domain name a challenge file is downloaded and saved to the directory
/var/www/.well-known/acme-challenge. -
Verify the challenges for our csr:
java -jar acme_client.jar --command verify-domains -a /etc/pjac/account.key -w /etc/pjac/workdir/ -c /etc/pjac/example.com.csrThe domains are now authorized.
-
Generate certificate and download it:
java -jar acme_client.jar --command generate-certificate -a /etc/pjac/account.key -w /etc/pjac/workdir/ --csr /etc/pjac/example.com.csr --cert-dir /etc/pjac/certdir/ -
Done. You should now have the following files in the directory
/etc/pjac/certdir/:
cert.pem,
chain.pemand
fullchain.pem
ℹ️ The certificate will expire in a relative short amount of time. Make sure to renew your certificate in time: Scenario 2 - Renew a certificate for multiple domains.