May 14, 2018 2 minute read

Self Signed Certificates with Subject Alternate Name

In one of my last projects I was asked about self signed Certificates with a Subject Alternate Name . As this is a little bit tricky I want to share the results of this.

My Test Setup:

Have downloaded and extracted SAPCryptolib (8.5.21) on my (Windows) Laptop.

Have installed WSL (in my case Ubuntu) installed on my Laptop to get openssl.

After this I can start:

First set the SECUDIR Variable to the Directory where the SAPCryptolib was extracted, e.g.

c:\SAPGENPSE>set SECUDIR=c:\SAPGENPSE

As the next Step create a PSE and CSR that match the needs, e.g.:

sapgenpse gen_pse -p SSLExample.pse -r SSLExample.csr -k GN-dNSName:www.example.com -k GN-dNSName:www.example.net -k GN-dNSName:www.example.org “CN=SelfSigned With SAN, OU=SAP Web AS, O=Example, C=DE”

Then export a p12 file from the PSE to extract later the Certificate and Key with openssl e.g.:

sapgenpse.exe export_p12 -p SSLExample.pse SSLExample.p12

Now switch to the WSL to continue with openssl for signing the CSR.

Then extract the Private Key for sign the CSR e.g.:

openssl pkcs12 -in SSLExample.p12 -nocerts -out SSLExample.key

!! For the Key a password is needed otherwise sign the CSR will fail !!

Also extract the Certificate from the p12 e.g.:

openssl pkcs12 -in SSLExample.p12 -clcerts -nokeys -out SSLExample.pem

Now we have nearly eveything we need:

The CSR, the (private) Key and the Certificate.

But also I need a small Text File (v3.ext) that contain the following:

Now I can sign the Certificate e.g.:

openssl x509 -req -days 730 -sha256 -in SSLExample.csr -CA SSLExample.pem -CAkey SSLExample.key -CAcreateserial -out SSLExample_signed.cer -extfile v3.ext

As it is not supported to import a self signed Certificate into a PSE we need to build a p12 File for import it into our PSE e.g.:

openssl pkcs12 -export -in SSLExample_signed.cer -inkey SSLExample.key -out SSLExample_signed.p12

Self Signed Certificates with Subject Alternate Name

Assigned Tags