Why and How to create a SAN SSL certificate request?

Why ?

The purpose of SAN is to have multiple CN and this will be used instead of wild card (*.domain.com) CN if same certificate will be used for multiple subdomain.

How ?

1- create a configuration file as below.

vi req.conf

 

[req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

prompt = no

[req_distinguished_name]

C = BH

ST = MANAMA

L = MANAMA

O = <companyName>

OU = IT

CN = CN.Domain

[v3_req]

keyUsage = keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

DNS.1 = CN1.Domain

DNS.2 = CN2.Domain

2- Create CSR file along with the key and keep a copy of this private key that you may use it if needed:

openssl req -new -out certificate.csr -newkey rsa:2048 -nodes -sha256 -keyout certificate.key -config req.conf

Submit the certificate to CA to be singed , you may want to verify the CSR file information, use the below :

openssl req -text -noout -verify -in certificate.csr

Below are pem file certificate sequence for a reference in case needed:

-----BEGIN CERTIFICATE-----

(Your Primary SSL certificate: your_domain_name.crt)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(Your Intermediate certificate: DigiCertCA.crt)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(Your Root certificate: TrustedRoot.crt)

-----END CERTIFICATE-----

Why and How to generate self-singed or public singed certificate ?

Why ?

Certificate can be self-singed or publicly singed , self-singed is singed by your server only and no public trusted authority know this certificate, it is good to be used for testing only, production servers/website services that may need a certificate , you have to generate a request file to be signed by public known authority and load the singed in your public website or service that may need this certificate.

How ?

1- generate a private key that will be used to generate a certificate request, this key is important to be kept with you for future needed in case .

 ## with password:

openssl genrsa -des3 -out private.key 2048

## without password:

openssl genrsa -out VISA_ACS1_PROD_Signing.key 2048

2- Create the Certificate Singed Request:

openssl req -new -key privkey.key -sha256  -out server.csr

If this certificate will be singed by public authority , you have to share “server.csr” and they will provide you a singed certiticate (mainly .csr or .crt ) file

3- For Selef-Singed Certificate do the below, First generate a server certificate that will act like private authority to singe the csr:

openssl x509 -req -days 1825 -in server.csr -signkey server.key -out server.crt

4- In many cases you may need to convert crt to PEM format, use the below:

openssl x509 -in server.crt -out server.pem -outform PEM

Why and How to setup the xdisplay parameter after switch user in Linux ?

Why ?

Display on ssh session that is support X11-forwarding  (remote display forwarded through SSH) will appeared for the first login user only , if -X -Y used the display will be transferred as well however if just switch user only using ‘su’ this will lead to lose the display from server to client , use the below steps to move the display from first to the second switched user

How ?

1- After login with first user before switching take the details of display .

$ xuath list $DISPLAY

<output1>

$ echo $DISPLAY

<output2>

2- Switch to the user:

$ xauth add <output1>

$ export DISPLAY=<output2>