You are here

Issuing SAN certificates using EasyRSA

To use Docker over a VPN it is necessary to use a certificate with a number of different host names (SANs, or Subject Alternate Names). Rather than pay hundreds for a wildcard or SAN cert from a certificate authority, I use EasyRSA to issue these types of certificates.

To issue a SAN server certificate, follow the usual steps for issuing a cert, but set the EASYRSA_EXTRA_EXTS variable first:

window 0 brad@catbert:~/EasyRSA-3.0.1$ export EASYRSA_EXTRA_EXTS="subjectAltName=DNS.1:floyd,,IP.1:"

I was reissuing an existing cert, so I had to revoke the old one before issuing a new one.

window 0 brad@catbert:~/EasyRSA-3.0.1$ ./easyrsa revoke floyd

Please confirm you wish to revoke the certificate with the following subject:

    commonName                = floyd

Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /home/brad/EasyRSA-3.0.1/openssl-1.0.cnf
Revoking Certificate 04.
Data Base Updated


Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

Then I created a new key and CSR.

window 0 brad@catbert:~/EasyRSA-3.0.1$ ./easyrsa gen-req floyd nopass


An existing private key was found at /home/brad/EasyRSA-3.0.1/pki/private/floyd.key
Continuing with key generation will replace this key.

Type the word 'yes' to continue, or any other input to abort.
  Confirm key overwrite: yes
Generating a 2048 bit RSA private key
writing new private key to '/home/brad/EasyRSA-3.0.1/pki/private/floyd.key.h4Vdbfzhn3'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Common Name (eg: your user, host, or server name) [floyd]:

Keypair and certificate request completed. Your files are:
req: /home/brad/EasyRSA-3.0.1/pki/reqs/floyd.req
key: /home/brad/EasyRSA-3.0.1/pki/private/floyd.key

And finally created the new cert.

window 0 brad@catbert:~/EasyRSA-3.0.1$ ./easyrsa sign-req server floyd

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

    commonName                = floyd

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /home/brad/EasyRSA-3.0.1/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'floyd'
Certificate is to be certified until Aug 11 12:55:59 2026 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /home/brad/EasyRSA-3.0.1/pki/issued/floyd.crt

The key and cert then get copied to where they're needed. As it's my network and I'm not worried about the old cert having been compromised I didn't bother with copying the CRL to the clients.