[HOWTO] create a self signed cert to use HTTPS with multiples CN and IP

    • [HOWTO] create a self signed cert to use HTTPS with multiples CN and IP

      I use the well explained method described here:
      Spanish magmax.org/blog/creando-tu-propia-entidad-certificadora-ssl/
      English datacenteroverlords.com/2012/0…sl-certificate-authority/

      more info on: support.citrix.com/article/CTX227983

      But I modified some things to use SAN: geekflare.com/san-ssl-certificate/

      1 - Create a private key for CA

      Source Code

      1. openssl genrsa -out rootCA.key 2048

      2 - self firm this key for CA

      Source Code

      1. openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem

      you generate 3 files on root (I use winSCP to show files):

      This files must be saved in a safe place and uploaded to your Firefox and chrome as Autority:

      So you have a trusted AC cert locally self-firm.

      now is time to create one cert per machine using previously AC cert to firm:

      first you need to copy req.cnf to root to use in post generation.
      please edit as you needs:

      Source Code: req.cnf

      1. [ req ]
      2. default_bits = 2048
      3. default_keyfile = device.key
      4. distinguished_name = subject
      5. req_extensions = extensions
      6. x509_extensions = extensions
      7. string_mask = utf8only
      8. [ subject ]
      9. countryName = Country Name (2 letter code)
      10. countryName_default = ES
      11. stateOrProvinceName = State or Province Name (full name)
      12. stateOrProvinceName_default = Madrid
      13. localityName = Locality Name (eg, city)
      14. localityName_default = Boadilla
      15. organizationName = Organization Name (eg, company)
      16. organizationName_default = local
      17. commonName = Common Name (e.g. server FQDN or YOUR name)
      18. commonName_default = rnas.local
      19. emailAddress = Email Address
      20. emailAddress_default = yourmail@gmail.com
      21. [ extensions ]
      22. subjectKeyIdentifier = hash
      23. basicConstraints = CA:FALSE
      24. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
      25. extendedKeyUsage = serverAuth
      26. subjectAltName = @alternate_names
      27. nsComment = "OpenSSL Generated Certificate"
      28. [ alternate_names ]
      29. DNS.1 = rnas.local
      30. DNS.2 = rnas
      31. IP.1 =
      Display All

      As you can see 3 alternate names are used for my NAS
      DNS.1 = rnas.local
      DNS.2 = rnas
      IP.1 =

      that are Common Names for same machine and used only on my LAN ( On WAN
      you have CN like myNAS.duckdns.org or something simmilar)

      Now is time to generate your key:

      Source Code

      1. openssl genrsa -out device.key 2048

      now is time to generate device.csr:

      Source Code

      1. openssl req -new -key device.key -out device.csr -config req.cnf -sha256 -nodes

      Now final steps is to generete cert self-signed with SAN names to do this:

      Source Code

      1. openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 1000 -extensions extensions -extfile req.cnf

      and check that are all correct:

      Source Code

      1. openssl x509 -in device.crt -text -noout


      now is time to load private key on OMV to use HTTPS:
      use devicxe.key as private key
      and device crt as certificate:



      save and go to General settings, and select saved cert to use as HTTPS cert:


      And the last step is to wait 2 minutes to test (because if you test too quickly a warning about time is show).

      now you can test several url ( like DNS1,2 & IP.1 in the cnf file)

      eg: rnas.local

      OMV 4.1.11 x64 on a HP T510, 16GB CF as Boot Disk & 32GB SSD 2,5" disk for Data, 4 GB RAM, CPU VIA EDEN X2 U4200 is x64 at 1GHz

      Post: HPT510 SlimNAS ; HOWTO Install Pi-Hole ; HOWTO install MLDonkey ; HOHTO Install ZFS-Plugin ; OMV_OldGUI ; ShellinaBOX ;
      Dockers: MLDonkey ; PiHole ; weTTY
      Videos: @TechnoDadLife

      The post was edited 3 times, last by raulfg3: live thread until finish edit ().