openssl and SSL certificate with Common Name

This posting is rather off-topic for Opensuse. I have searched for an answer on the web without success (including the openssl site), so I thought I would ask here.

Use case: For our local network I wish to create a wildcard SSL certificate signed with a local CA certificate.

How do I create a wildcard SSL certificate that includes the Common Name in the certificate?

I can create a self-signed (CA) wildcard certificate, no problem. Lots of info about doing that. What I have not found is how to include the Common Name (CN) and, it would be cool, the Organization Unit Name (OU, OrganizationUnitName). Browsing various commercial sites seems to indicate that Wildard, CN, and OU cannot be all present, pick any two; I do not know if that is true.

Can anyone recommend a site that discusses this particular issue?

Have you looked at the YaST CA Management and Common Server Certificate tools (may need installing)?

Yes. It does not offer any more options than I have already discovered.

I mistakenly indicated the option for the OU would be a bonus. What I really wanted is the Organization Name (O).

Not sure which one your looking at but if I run;

yast2 ca_mgm

Then press Create Root CA, I see Both Organization and Organization Unit?

I assume you want to create a certificate for your website? That’s important to know and critical to how the process works of requesting and generating an SSL certificate.
if you’re creating a certificate for some other purpose, then I guess you can disregard all that follows…

First step is to create a CA (Certificate Authority) if you want to set things up as an Enterprise.
How you create your CA will depend largely on what kind of security you’ve deployed for your company and/or LAN, if you’ve installed network security like LDAP or AD, then the members of your Domain will automatically recognize and trust any certificates generated by your CA… Else, the certificates generated by your CA will not be automatically trusted so will have to be manually installed into each Host.

The alternative would be to pay for your certificate to be part of the chain from a commercial CA, certificates from a commercial CA or from CA authorized by a commercial CA are already installed by default in web browsers so are automatically trusted.

After setting up your CA,
Any machine or through an application (like a webserver) can generate a CSR (certificate signing request) for your CA (or commercial CA), and at that time you “fill in the blanks” specifying the things you’re asking about.

The CA grants your request, and then you can install that certificate appropriately (like in your webserver’s website).

If you don’t want to set up a CA and create a self-signed certificate, you still have to do so starting with creating a CSR (certificate signing request) using openssl, and then use openssl again to generate the certificate based on your CSR.

The following looks it describes the process accurately if you’re installing into an apache webserver. If these instructions aren’t clear or you’re running a different webserver, post your details.

As for creating a wildcard certificate, that is what you specify for the CN.
And, all the attributes you listed (and more) are generally input through the CSR, you’re mistaken that they aren’t all present (some required, some optional).
Remember again that a self-signed certificate won’t be automatically trusted by anyone, so each visitor will need to manually configure your certificate to be trusted.


Thank you all for your replies and insight.

My main problem in this case was ignorance. I have always found security a difficult subject fraught with innumerable detail and options for error. Comprehensible documentation seems hard to find. Many of the options are not described, or have such a terse description as to be useless. I will likely find some eventually.

I found this site to be quite helpful in setting up a set of scripts to create valid, self-signed certificates for our local network.

After creating the root, intermediate, and server certificates, I then needed to scurry from workstation to workstation adding CA certificates to the authority lists, and both CA and server certs for the various servers.

Now we have the nifty green lock for all the local secure connections.

Congrats on getting a solution working.
Now, if you can follow “best practice” and take your root CA offline (It should be online only for certificate operations, and if you created subordinate CAs, then it can almost never be online).

Intermediate and other subordinate CAs are useful only in a <very> large Enterprise, or an Enterprise that demands better security and usually involves a substantial monetary investment.

For most tiny businesses or LANs, only a root CA (probably with backup) which can perform all necessary functions is needed… and as I described perhaps simply omitting a root CA altogether using a designated machine with openSSL installed to generate and maintain your certificate store.

Remember, Keep It Simple.
If you don’t size your architecture appropriately, eg creating additional unneeded CA, that’s all additional things that need to be maintained well and can potentially cause problems if something wrong happens.