Add Subject Alternative Names to existing Certificate

In some situations you might want to add additional SAN’s (subject alternative names) to your host certificate. This is pretty handy when you’re using one or several aliases for one of your hosts.

While some of these steps can be done on a Domaincontroller Backup, renewing can only be done from a Domaincontroller Master and additionally changes would be overwritten. Therefore everything has to be done at the Master.

First of all create a backup of the following files:

  • openssl.cnf
  • req.pem
root@ucs:# cd /etc/univention/ssl/<FQDN>
root@ucs:/etc/univention/ssl/<FQDN># cp openssl.cnf{,.orig}; cp req.pem{,.orig}

Now edit the certificate settings in openssl.cnf for the appropriate host certificate by changing line 101 - section [ v3_req ]

[ v3_req ]

subjectAltName = DNS:, DNS:

into

subjectAltName = @alt_names

and add the following line underneath:

[alt_names]
DNS.1 = <FQDN>
DNS.2 = <HOSTNAME>
DNS.3 = <ALT_FQDN>
DNS.4 = <ALT_HOSTNAME>

You might add here quite more entries; according to rfc5280 the upper bound is unspecified.

Now it’s time to create a new request (csr) with the existing private.key.

root@ucs:/etc/univention/ssl/<FQDN># . /usr/share/univention-ssl/make-certificates.sh
root@ucs:/etc/univention/ssl/<FQDN># openssl req -new -key private.key -config openssl.cnf -out req.pem

Now check if all SAN’s are existing in the newly created request.

root@ucs:/etc/univention/ssl/<FQDN># openssl req -in req.pem -noout -text | grep -E "(Subject Alternative Name|DNS)"

With this request you can create the renewed certificate.
From here all steps are done with UCS internal tools so you might continue via UMC.

root@ucs:~# univention-certificate renew -name <FQDN> -days 1825

Finally you also should check the certificate.

root@ucs:/etc/univention/ssl/<FQDN># openssl x509 -in cert.pem -noout -text | less

Of course the last step is to publish the renewed certificate as described in section “Copy the new certificate” from article:

3 Likes
Mastodon