Parliament Hill Computers LtdParliament Hill Computers Ltd

Understanding and generating OpenSSL.cnf files


OpenSSL.cnf files

Why are they so hard to understand ?

The documentation is poor, there are too many ways of doing the same thing, the examples are overly complex for the purpose of simple web servers.

Learning from that we have a simple, commented, template that you can edit. It is in the directory SSLConfigs.

Creating your first some-domain.cnf

Decide on a name for the certificate family, eg my-website

Copy EXAMPLE.cnf to a meaningful name, eg my-website.cnf

Modify the 7 lines that start countryName=. What we put is:

	countryName=            UK
	stateOrProvinceName=    Hertfordshire
	localityName=           Watford
	organizationName=       Parliament Hill Computers
	organizationalUnitName= Web Server
	commonName=             www.phcomp.co.uk
	emailAddress=           addw@phcomp.co.uk
     

If you have more than one web site address, then you need to put then in the alt_names section at the bottom. You can put up to 99 extra names. What we put included:

	DNS.1 = www4.phcomp.co.uk
	DNS.2 = ipv6.phcomp.co.uk
	DNS.3 = ipv4.phcomp.co.uk
	DNS.4 = test.phcomp.co.uk
     

If you do not have any then comment out the line that references the section:

     # subjectAltName = @alt_names
     

Complete example

Here is a complete example ssl.cnf file.


Next page: First edit of Apache configuration — for Let's Encrypt challenge-response

Return to How to Configure Let's Encrypt with acme_tiny.py

Return to tutorial home.

If you want any help using the above, or have any comments or suggestions, please contact us.