Crear autoridad certificadora (CA) y certificados autofirmados en Linux

Una autoridad certificadora (CA) es una entidad con capacidad para firmar certificados. Para crear una CA es necesario crear el par criptográfico llave privada (ca.key) y certificado publico (ca.cert). Esta CA puede ser usada para firmar certificados de autoridades certificadores intermedias (intermediate CAs) o certificados finales de usuarios o servidores.

En esta entrada se verá como crear una CA así como crear y firmar certificados con nuestra CA. Además los certificados creados y firmados por la CA incorporarán la extensión SAN (Subject Alternative Name).

Crear la entidad certificadora (CA)

Preparar el directorio

DIR_CA="/root/ca"
cd $DIR_CA
mkdir certs csr crl newcerts private
chmod 700 private
touch index.txt
touch index.txt.attr
echo 1000 > serial

Preparar los archivos de configuración

Setear variables

countryName_default="ES"
stateOrProvinceName_default="Madrid"
localityName_default="Madrid"
organizationName_default="Guillen.io"
organizationalUnitName_default="IT"
emailAddress_default=""

Crear el archivo de configuración

DIR_CA="./"
cat <<EOF>$DIR_CA/openssl.conf
[ ca ]
# man ca
default_ca = CA_default
 
[ CA_default ]
# Directory and file locations.
dir               = ${DIR_CA}
certs             = ${DIR_CA}certs
crl_dir           = ${DIR_CA}crl
new_certs_dir     = ${DIR_CA}newcerts
database          = ${DIR_CA}index.txt
serial            = ${DIR_CA}serial
RANDFILE          = ${DIR_CA}private/.rand
 
# The root key and root certificate.
private_key       = ${DIR_CA}private/ca.key.pem
certificate       = ${DIR_CA}certs/ca.cert.pem
 
# For certificate revocation lists.
crlnumber         = ${DIR_CA}crlnumber
crl               = ${DIR_CA}crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30
 
# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256
 
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict
 
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of man ca.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the ca man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
[ req ]
# Options for the req tool (man req).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256
# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca
# Extension for SANs
req_extensions      = v3_req
 
[ v3_req ]
# Extensions to add to a certificate request
# Before invoke openssl use: export SAN=DNS:value1,DNS:value2
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
xxxsubjectAltNamexxx =
 
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address
 
# Optionally, specify some defaults.
countryName_default             = $countryName_default
stateOrProvinceName_default     = $stateOrProvinceName_default
localityName_default            = $localityName_default
0.organizationName_default      = $organizationName_default
organizationalUnitName_default  = $organizationalUnitName_default
emailAddress_default            = $emailAddress_default
 
[ v3_ca ]
# Extensions for a typical CA (man x509v3_config).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (man x509v3_config).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 
[ usr_cert ]
# Extensions for client certificates (man x509v3_config).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
 
[ server_cert ]
# Extensions for server certificates (man x509v3_config).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
 
[ crl_ext ]
# Extension for CRLs (man x509v3_config).
authorityKeyIdentifier=keyid:always
 
[ ocsp ]
# Extension for OCSP signing certificates (man ocsp).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
EOF
sed -i 's|xxxsubjectAltNamexxx \=|subjectAltName = ${ENV::SAN}|g' openssl.conf

Crear la clave privada de la entidad certificadora (CA)

openssl genrsa -aes256 -out ${DIR_CA}private/ca.key.pem 4096
chmod 400 ${DIR_CA}private/ca.key.pem

Ejemplo de ejecución:

[agd@folio13 ca]$ openssl genrsa -aes256 -out ${DIR_CA}private/ca.key.pem 4096
Generating RSA private key, 4096 bit long modulus
....................++
.........................................................................................++
e is 65537 (0x010001)
Enter pass phrase for ./private/ca.key.pem:
Verifying - Enter pass phrase for ./private/ca.key.pem:
[agd@folio13 ca]$ chmod 400 ${DIR_CA}private/ca.key.pem

Crear el certificado de la entidad certificadora (CA)

URL=ca.guillen.io
export SAN=DNS:$URL
openssl req -config openssl.conf \
      -key private/ca.key.pem \
      -new -x509 -days 7300 -sha256 -extensions v3_ca \
      -out certs/ca.cert.pem
chmod 444 certs/ca.cert.pem

Ejemplo de ejecución:

[agd@folio13 ca]$ URL=ca.guillen.io
[agd@folio13 ca]$ export SAN=DNS:$URL
[agd@folio13 ca]$ openssl req -config openssl.conf \
>       -key private/ca.key.pem \
>       -new -x509 -days 7300 -sha256 -extensions v3_ca \
>       -out certs/ca.cert.pem
Enter pass phrase for private/ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ES]:
State or Province Name [Madrid]:
Locality Name [Madrid]:
Organization Name [Guillen.io]:
Organizational Unit Name [IT]:
Common Name []:
Email Address []:
[agd@folio13 ca]$ chmod 444 certs/ca.cert.pem

Verificar el certificado de la entidad certificador (CA)

Es posible verificar el certificado mediante openssl x509 -noout -text -in certs/ca.cert.pem. Notar como el certificado incluye las extensiones X509v3 extensions:

[agd@folio13 ca]$ openssl x509 -noout -text -in certs/ca.cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            fc:ac:03:08:95:fe:91:3b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = ES, ST = Madrid, L = Madrid, O = Guillen.io, OU = IT
        Validity
            Not Before: Jul 24 20:48:51 2018 GMT
            Not After : Jul 19 20:48:51 2038 GMT
        Subject: C = ES, ST = Madrid, L = Madrid, O = Guillen.io, OU = IT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:aa:fa:46:89:dd:e2:3a:3f:b5:90:da:5c:05:65:
                    95:20:e6:7b:00:de:c5:ab:72:be:13:8e:7e:25:4d:
                    62:d5:be:40:8f:e1:71:f1:43:6b:f6:bf:55:d3:05:
                    9b:e8:ee:43:20:07:05:91:a9:d7:b5:0a:7d:6b:21:
                    4b:dc:7b:b9:85:64:80:2f:78:42:61:2a:f5:b6:41:
                    0b:89:5c:64:6a:83:42:73:64:77:9e:4c:ce:a2:e9:
                    eb:9b:ca:74:c2:6b:a3:a4:da:0a:4a:14:0f:2e:3c:
                    98:9d:92:d5:0c:8f:e3:d7:1b:63:eb:5f:53:ff:08:
                    3e:1e:50:04:16:b4:d3:f4:07:4d:db:ac:18:ef:06:
                    63:a5:e8:7c:17:af:49:74:88:60:1e:e0:a2:67:03:
                    27:94:98:e2:cc:e1:63:83:8e:f5:dc:ea:18:a5:26:
                    db:86:31:90:59:75:7d:78:6b:9c:e3:88:ec:00:cc:
                    6a:90:62:67:e7:78:6a:f9:08:40:62:56:79:db:7c:
                    a7:bb:90:57:c6:ab:c4:88:24:73:3c:e8:a5:36:8b:
                    47:68:5a:0b:b4:29:28:26:f4:fb:03:18:f0:26:6f:
                    df:0e:db:46:d2:37:10:e4:2b:c7:8f:b3:a7:2e:47:
                    c5:6b:f3:9f:ef:7a:13:fa:e7:22:55:8a:b6:4e:64:
                    b6:e9:00:4a:ac:ef:2e:9a:9b:77:e6:3b:85:c7:70:
                    76:c9:01:57:19:9d:ab:35:f3:95:ad:c1:74:b5:b9:
                    7d:f4:06:c0:7f:c0:1c:ed:a4:16:43:c2:e3:be:3b:
                    81:9d:d2:da:c6:6e:f9:e6:10:ac:56:b8:0b:30:f2:
                    95:71:22:52:73:32:20:b5:f8:04:0b:a6:05:68:5c:
                    f2:16:02:e5:c5:32:5e:d5:69:0d:67:5a:04:ed:75:
                    d4:42:96:6b:c6:86:f8:7b:31:d0:f0:eb:b4:4a:9f:
                    d9:74:67:c7:d9:3e:ce:f7:54:31:d9:5d:ea:e9:a6:
                    60:d3:54:8e:86:7f:a9:d5:d8:39:71:39:f6:a6:4f:
                    dd:13:bd:5e:99:eb:4d:75:3d:91:89:2c:94:af:bf:
                    e5:03:b5:ea:4d:99:41:f5:37:68:40:12:f2:3b:c0:
                    5e:2f:10:ef:a8:cd:8c:33:93:ca:78:5b:29:4b:26:
                    a4:18:f5:b3:84:c0:83:92:68:39:62:67:29:b2:4c:
                    30:f3:9c:73:19:bc:34:c9:1d:dd:3d:cb:e1:ce:63:
                    b0:0e:50:6f:d8:76:48:0a:fe:45:9b:b7:a9:a8:67:
                    23:8a:12:bc:81:bd:5b:2c:63:d2:40:3c:91:4b:fe:
                    63:79:df:9a:ee:64:b0:b4:21:8e:b0:80:67:34:68:
                    7e:e0:25
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                88:3D:6D:7D:68:74:E0:3A:85:03:86:CB:D4:A2:12:1B:C8:4B:63:04
            X509v3 Authority Key Identifier: 
                keyid:88:3D:6D:7D:68:74:E0:3A:85:03:86:CB:D4:A2:12:1B:C8:4B:63:04

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         3d:39:ec:43:e6:55:0a:53:dd:c1:92:02:e5:97:46:03:95:5d:
         0b:17:a8:c8:b2:0c:c9:70:7c:b4:f5:87:64:0d:85:7d:36:25:
         fb:65:cb:e0:67:38:8e:03:24:51:f6:49:c1:88:69:f4:79:cd:
         93:e5:c9:3b:f2:00:f3:2f:f2:93:fb:89:a3:55:41:d4:d0:f9:
         eb:15:1e:77:dc:25:cf:9d:bd:ae:9c:61:47:fd:91:b3:8d:f6:
         8b:bf:1a:ad:a3:73:4e:fd:9e:32:bb:ca:7c:f5:5d:90:a9:c5:
         a5:7b:78:e8:dc:a9:8a:34:d7:16:53:11:62:4b:66:4c:b4:64:
         ab:94:ee:8e:5b:2d:9a:90:bc:eb:a4:7f:1a:88:2c:74:31:0f:
         9c:99:5a:fc:ce:d7:19:1c:c3:38:dc:43:1a:4d:c2:0f:d4:54:
         49:c7:c9:de:a7:c0:95:36:0b:e2:41:07:f6:0c:eb:8b:4a:7e:
         75:ee:5e:fc:60:1c:c0:03:5d:9f:81:99:df:83:2e:e6:12:eb:
         92:53:16:59:47:82:80:2b:70:12:63:e8:5b:cd:b2:ea:6f:4d:
         ee:7b:ee:3d:5e:08:74:c5:a9:86:a2:98:61:06:eb:57:9a:e5:
         67:39:9d:23:3c:3b:69:25:97:ce:2b:f3:8e:b8:e3:1a:41:93:
         58:30:c8:8f:84:cc:99:3a:dc:ab:b6:35:ec:a4:1f:dc:0c:30:
         1d:81:40:87:da:5d:45:61:65:c6:44:84:e7:9f:81:13:4a:84:
         f2:99:1f:cf:72:93:cd:db:dd:f6:93:87:56:bb:18:bd:75:8a:
         22:a3:8a:3f:ad:7b:e8:08:f3:e5:4e:7a:a2:ef:d0:dd:8e:84:
         28:19:4b:8f:83:b0:3d:d3:6e:6d:c6:05:1c:bd:8d:31:53:d2:
         ce:32:f1:e2:0a:50:cd:c6:0b:3a:29:ac:8d:f0:3b:11:15:a9:
         66:7e:04:6a:40:90:c3:de:55:b7:4a:f5:a0:b4:f7:60:8b:99:
         ab:9d:1f:a6:28:59:9f:cb:8b:91:70:39:6f:a0:ab:c6:be:21:
         a2:5c:80:2c:c2:0b:69:ea:c6:90:09:d3:22:b0:a8:f6:af:35:
         1e:ad:2d:ff:3d:9c:c7:e5:a8:31:e5:a2:e3:90:f0:d0:c6:f2:
         04:fc:bb:92:39:3d:00:7c:24:46:e2:1c:82:b2:4d:68:8f:c9:
         92:d6:f2:f6:8c:74:54:f6:ba:97:52:64:cc:32:b8:c9:cd:e3:
         66:e4:2f:b6:fc:48:66:f7:68:60:a3:19:47:8f:6d:a6:60:ab:
         81:d3:7f:4a:f5:9a:5f:aa:f1:76:1b:8e:bb:68:ca:eb:64:e5:
         b5:05:38:13:27:92:5c:f0

Crear certificados y firmarlos con la entidad certificadora (CA)

Crear la clave privada del certificado

URL='*.apps.ocp.guillen.io'
openssl genrsa -out ./private/${URL}.key.pem 2048
chmod 400 ./private/${URL}.key.pem

Nota: Incluyendo el parámetro -aes256, el certificado estará cifrado por lo que se pedirá una contraseña cada vez que se quiera usar.

Ejemplo de ejecución:

agd@folio13 ca]$ URL='*.apps.ocp.guillen.io'
[agd@folio13 ca]$ openssl genrsa -out ./private/${URL}.key.pem 2048
Generating RSA private key, 2048 bit long modulus
..............................+++
........................................................................................................+++
e is 65537 (0x010001)
[agd@folio13 ca]$ 
[agd@folio13 ca]$ chmod 400 ./private/${URL}.key.pem

Crear la solicitud de certificado

URL='*.apps.ocp.guillen.io'
export SAN=DNS:$URL,DNS:$(echo $URL | sed 's/*\.//g' )
openssl req -config openssl.conf \
      -key ./private/${URL}.key.pem \
      -new -sha256 -out ./csr/${URL}.csr.pem

Ejemplo de ejecución:

[agd@folio13 ca]$ URL='*.apps.ocp.guillen.io'
[agd@folio13 ca]$ export SAN=DNS:$URL,DNS:$(echo $URL | sed 's/*\.//g' )
[agd@folio13 ca]$ openssl req -config openssl.conf \
>       -key ./private/${URL}.key.pem \
>       -new -sha256 -out ./csr/${URL}.csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ES]:
State or Province Name [Madrid]:
Locality Name [Madrid]:
Organization Name [Guillen.io]:
Organizational Unit Name [IT]:
Common Name []:*.apps.ocp.guillen.io
Email Address []:

Firmar la solicitud de certificado con la CA

openssl ca -config ./openssl.conf \
    -extensions v3_req -days 3650 -notext -md sha256 \
    -in ./csr/*.apps.ocp.guillen.io.csr.pem \
    -out ./certs/*.apps.ocp.guillen.io.cert.pem    
chmod 444 ./certs/*.apps.ocp.guillen.io.cert.pem

Ejemplo de ejecución:

[agd@folio13 ca]$ openssl ca -config ./openssl.conf \
>     -extensions v3_req -days 3650 -notext -md sha256 \
>     -in ./csr/*.apps.ocp.guillen.io.csr.pem \
>     -out ./certs/*.apps.ocp.guillen.io.cert.pem    
Using configuration from ./openssl.conf
Enter pass phrase for ./private/ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Jul 24 20:53:40 2018 GMT
            Not After : Jul 21 20:53:40 2028 GMT
        Subject:
            countryName               = ES
            stateOrProvinceName       = Madrid
            organizationName          = Guillen.io
            organizationalUnitName    = IT
            commonName                = *.apps.ocp.guillen.io
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:*.apps.ocp.guillen.io, DNS:apps.ocp.guillen.io
Certificate is to be certified until Jul 21 20:53:40 2028 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[agd@folio13 ca]$ chmod 444 ./certs/*.apps.ocp.guillen.io.cert.pem

Verificar el certificado

Se puede verificar el certificado mediante openssl x509 -noout -text -in certs/<certificate-name>.pem. Ejemplo:

[agd@folio13 ca]$ openssl x509 -noout -text -in certs/\*.apps.ocp.guillen.io.cert.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4096 (0x1000)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = ES, ST = Madrid, L = Madrid, O = Guillen.io, OU = IT
        Validity
            Not Before: Jul 24 20:53:40 2018 GMT
            Not After : Jul 21 20:53:40 2028 GMT
        Subject: C = ES, ST = Madrid, O = Guillen.io, OU = IT, CN = *.apps.ocp.guillen.io
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ce:06:03:fa:af:8f:73:3b:57:70:67:e4:09:ad:
                    9a:17:20:b8:bc:4e:4a:77:fa:09:67:33:8a:70:49:
                    63:6f:65:0e:f9:ed:93:cf:41:62:d9:44:5d:9b:87:
                    b3:33:2f:e9:9c:89:01:ff:3d:36:40:8f:2b:ea:74:
                    59:cf:92:b0:9f:d5:2d:6d:de:a6:9e:2d:50:1e:44:
                    30:c1:5d:0c:4e:8d:62:a7:a3:ae:48:7a:d9:38:e9:
                    a8:00:8d:26:e4:dc:34:d5:90:dd:c7:73:28:e2:5c:
                    61:c3:2d:bd:d7:ff:74:22:ea:53:4d:c5:f7:54:05:
                    db:00:05:48:fc:6e:da:44:04:96:5e:cb:b8:e6:61:
                    58:d7:96:f9:c5:91:98:5a:2d:90:ef:b2:fb:7c:a2:
                    07:57:4c:9d:f1:b1:0a:16:11:88:74:35:34:67:0f:
                    50:ba:c0:9c:67:bb:52:11:30:14:f9:9f:3a:10:c5:
                    f4:d4:73:14:88:fc:fe:fd:18:8c:7a:29:ad:27:24:
                    67:3a:bf:6b:3c:d1:15:8e:fd:74:b5:97:a4:27:8d:
                    da:76:98:5e:14:08:bf:fa:78:30:49:6d:eb:69:3a:
                    ad:d1:97:10:d9:ad:db:28:a5:b2:2c:33:fd:23:9f:
                    f8:bf:37:2e:21:b7:f1:0e:b4:ad:fb:51:44:c7:24:
                    e6:31
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:*.apps.ocp.guillen.io, DNS:apps.ocp.guillen.io
    Signature Algorithm: sha256WithRSAEncryption
         0c:ff:97:86:9f:1e:79:78:2c:b0:29:ee:c7:6a:a9:23:9a:ff:
         4b:2e:ec:71:23:bf:bc:5e:b9:96:99:69:ad:96:0d:75:49:fe:
         85:94:6a:0e:5c:50:30:19:8e:64:10:ae:be:86:ad:29:98:cf:
         e4:6d:bf:ad:70:0a:15:9c:71:26:c2:25:71:5e:56:b0:78:06:
         e9:c4:f5:9a:b0:da:69:5d:fc:3f:00:27:46:c8:6f:85:85:af:
         74:1c:5e:0b:7f:57:1e:e2:b8:bc:ce:5b:f6:12:66:6c:e9:c7:
         0f:b4:a8:dd:16:6f:47:62:5a:95:ba:f4:8b:0c:96:09:24:a8:
         d5:45:77:d7:bb:89:da:c0:4c:c4:08:2c:5e:07:cb:c6:62:2c:
         75:70:da:a4:b8:16:81:ae:2f:0c:52:73:17:1e:c2:e1:ef:ba:
         5b:fd:9f:ad:19:b1:65:b7:1a:34:a9:bf:b0:cb:00:74:a7:df:
         27:57:6b:ff:26:8f:12:d9:7b:53:ed:a9:a2:85:9b:8f:30:6f:
         9d:57:b2:8a:04:22:3a:16:d0:93:6a:07:ee:c3:a8:c5:bd:2c:
         5b:d7:75:18:35:60:f7:db:af:88:1c:37:c3:3e:b4:a1:88:07:
         ea:41:83:fc:79:bf:c3:c4:a7:e2:d8:05:bf:e9:5c:26:34:ff:
         98:83:5c:db:4d:62:fd:20:ba:38:db:77:f4:47:1c:7d:94:61:
         53:9a:05:23:61:46:74:e4:65:00:57:e9:90:3d:d6:f3:62:4c:
         9f:a4:99:52:a6:0d:01:51:1a:eb:68:5d:d2:ba:43:b4:7e:29:
         67:56:82:8b:a3:76:e4:be:ed:09:e4:71:04:4c:c3:e0:f4:04:
         be:38:d8:9b:e9:35:cd:3d:4a:3e:16:f0:b5:d0:2b:62:f3:6e:
         87:53:a2:a9:aa:b1:1c:3a:5b:aa:81:d0:b3:2a:01:c2:2e:f8:
         81:69:a5:8f:2f:83:04:62:7c:04:60:1c:f1:18:cd:ef:8b:04:
         1d:07:26:3f:98:da:64:ed:b2:8a:2b:12:20:6f:dd:57:ce:f4:
         5e:16:a5:49:96:8e:04:cf:bf:7b:4a:d2:af:66:ed:c3:ca:95:
         83:f3:c7:7e:58:f8:2e:9f:8c:8f:e4:cb:c1:97:7d:78:6f:bf:
         f4:b9:69:d8:26:b0:15:36:5f:14:d6:76:6a:fb:36:ca:18:03:
         e5:36:6d:c2:b5:50:c5:83:55:c5:f7:b4:1f:e8:fe:30:54:b4:
         d2:fb:f2:b1:13:95:d7:e2:be:7b:7f:a1:13:76:50:be:64:14:
         18:b5:70:5e:9f:24:5b:d1:c9:5c:fa:1d:09:c1:28:c7:13:ac:
         71:c8:72:27:c0:0a:28:b9

Notar la presencia de la extensión X509v3 Subject Alternative Name:

[agd@folio13 ca]$ openssl x509 -noout -text -in certs/\*.apps.ocp.guillen.io.cert.pem | grep -A1 "Subject Alternative Name"
            X509v3 Subject Alternative Name: 
                DNS:*.apps.ocp.guillen.io, DNS:apps.ocp.guillen.io

Entradas de interés

• Crear solicitud de certificado (CSR)
• Compilar HAProxy usando una biblioteca OpenSSL específica
• Convertir certificados en formato PPK (Putty) a certificados en formato OpenSSH
• Formatos de certificados y conversiones con OpenSSL
• Múltiples versiones de OpenSSL en Linux