Generate a Self-Signed SSL certificate with Subject Alternative Names

Modern browsers like Chrome require you to have more secure certificates with 3072 bits / sha256 and higher encryption. In order for HAproxy to support multiple storage domains, we need to enable additional extensions and include subject alternate names to the certificate.

Instructions

Complete these steps carefully:

1. Edit the SSL configuration: /etc/pki/tls/openssl.cnf
   
   

   1. In the section "[ req ]", add or uncomment this line:

      [ req ] req_extensions = v3_req

   2. Immediately below, add the following:

      [ v3_req ] subjectAltName = @alt_names [ alt_names ] DNS.1 = example.demo.sales.local DNS.2 = master.acme.org

   3. Add as many alternative names as needed to the alt_names section.

   4. (optional) Set the other defaults as desired: countryName_default , localityName_default, ... 

2. Generate a private key: 
   
   

   openssl genrsa -des3 -out YOURDOMAIN.key 3072

3. Generate a CSR key with the newly created private key:
   
   

   openssl req -new -key YOURDOMAIN.key -out YOURDOMAIN.csr -config /etc/pki/tls/openssl.cnf -sha256 -newkey rsa:3072

4. Generate the final certificate:
   
   

   openssl x509 -req -sha256 -days 3650 -in YOURDOMAIN.csr -signkey YOURDOMAIN.key -out YOURDOMAIN.crt -extensions v3_req -extfile /etc/pki/tls/openssl.cnf

5. Combine both YOURDOMAIN.key and YOURDOMAIN.crt into a single YOURDOMAIN.pem file and configure HAproxy to use it.

6. Restart the HAproxy service.

7. From a Windows client or server, navigate to the secure URI with Chrome.

8. At first, it will say it's an untrusted certificate. Download the certificate locally, then double-click it to install it.

9. Restart the browser, and navigate to the secure URI. The browser should now accept the certificate.

Related articles