[HOWTO] create a self signed cert to use HTTPS with multiples CN and IP

I use the well explained method described here:
Spanish https://magmax.org/blog/creand…ntidad-certificadora-ssl/
English https://datacenteroverlords.co…sl-certificate-authority/

more info on: https://support.citrix.com/article/CTX227983

But I modified some things to use SAN: https://geekflare.com/san-ssl-certificate/

1 - Create a private key for CA

openssl genrsa -out rootCA.key 2048

2 - self firm this key for CA

openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem

you generate 3 files on root (I use winSCP to show files):
1.jpg

This files must be saved in a safe place and uploaded to your Firefox and chrome as Autority:
2.jpg

So you have a trusted AC cert locally self-firm.

now is time to create one cert per machine using previously AC cert to firm:

first you need to copy req.cnf to root to use in post generation.
please edit as you needs:

[ req ]
default_bits = 2048
default_keyfile = device.key
distinguished_name = subject
req_extensions = extensions
x509_extensions = extensions
string_mask = utf8only


[ subject ]
countryName = Country Name (2 letter code)
countryName_default = ES


stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Madrid


localityName = Locality Name (eg, city)
localityName_default = Boadilla


organizationName = Organization Name (eg, company)
organizationName_default = local


commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default  = rnas.local


emailAddress = Email Address
emailAddress_default = yourmail@gmail.com


[ extensions ]
subjectKeyIdentifier = hash


basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"


[ alternate_names ]
DNS.1 = rnas.local
DNS.2 = rnas
IP.1 = 192.168.1.103

As you can see 3 alternate names are used for my NAS
DNS.1 = rnas.local
DNS.2 = rnas
IP.1 = 192.168.1.103

that are Common Names for same machine and used only on my LAN ( On WAN
you have CN like myNAS.duckdns.org or something simmilar)

Now is time to generate your key:

openssl genrsa -out device.key 2048

now is time to generate device.csr:

openssl req -new -key device.key -out device.csr -config req.cnf -sha256 -nodes

Now final steps is to generete cert self-signed with SAN names to do this:

openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 1000 -extensions extensions -extfile req.cnf

and check that are all correct:

openssl x509 -in device.crt -text -noout

7.jpg

now is time to load private key on OMV to use HTTPS:
use devicxe.key as private key
and device crt as certificate:

8.jpg
5.jpg

6.jpg

save and go to General settings, and select saved cert to use as HTTPS cert:

7_2.jpg

And the last step is to wait 2 minutes to test (because if you test too quickly a warning about time is show).

now you can test several url ( like DNS1,2 & IP.1 in the cnf file)

eg: https://rnas.local

or

https://192.168.1.103