1

I run this command to create a certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

It asks me to fill information as shown below:

  • Country Name (2 letter code) [AU]:US
  • State or Province Name (full name) [Some-State]:New York
  • Locality Name (eg, city) []:New York City
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test, Inc.
  • Organizational Unit Name (eg, section) []:Ministry of Water Slides
  • Common Name (e.g. server FQDN or YOUR name) []: should this be domain name or IP address?
  • Email Address []:admin@your_domain.com
Improve this question

1 Answer 1

Reset to default
2

The common name of a server certificate is irrelevant for modern TLS stacks. Instead the Subject Alternative Names must be used. CN is considered obsolete and major browsers (Google Chrome and related) will not even consider what's inside the CN.

In the SAN then the name need to be given which is used to access the site. This means if the URL is https://domain/ then domain must be used as SAN type DNSName. If the URL instead is https://ip/ then ip must be used with SAN type IPAddr. For domains wildcards can be used too, but only a single wildcard in the leftmost label.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

The command that I have mentioned in my questions doesn't give me any option to enter the Subject Alternative Names
@variable: A simple search will give you many posts on how to do this, for example gist.github.com/KeithYeh/bb07cadd23645a6a62509b1ec8986bbc

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.