Skip to main content

Generating Multi-Domain (SAN) Certificates

The Subject Alternative Name field lets you specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate, such as a Multi-Domain (SAN) or Extend Validation Multi-Domain Certificate.


  • Secure Host Names on Different Base Domains in One SSL Certificate: A Wildcard Certificate can protect all first-level subdomains on an entire domain, such as * However, a Wildcard Certificate cannot protect both and
  • Virtual Host Multiple SSL Sites on a Single IP Address: Hosting multiple SSL-enabled sites on a single server typically requires a unique IP address per site, but a Multi-Domain (SAN) Certificate with Subject Alternative Names can solve this problem. Microsoft IIS and Apache are both able to Virtual Host HTTPS sites using Multi-Domain (SAN) Certificates.
  • Greatly Simplify Your Server's SSL Configuration: Using a Multi-Domain (SAN) Certificate saves you the hassle and time involved in configuring multiple IP addresses on your server, binding each IP address to a different certificate, and trying to piece it all together.


A multi-domain SAN certificate will have a Subject Alternative Name extension that can list both and plus some additional SANs secured by a single certificate. Because the name is listed in the certificate, a web browser will not complain if one visits site at without the 'www' in the name.

CSR (Certificate Signing Request)

CSR is a block of encoded text that is given to a Certificate Authority when applying for a signed SSL Certificate. It is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate. A private key is usually created at the same time that you create the CSR, making a key pair. A CSR is generally encoded using ASN.1 according to the PKCS #10 specification.

A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.

A CSR contains following fields:
  • CN (Common Name): The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error. Example: * or
  • O (Organization): The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. Example: ABCD Inc.
  • OU (Organizational Unit): The division of your organization handling the certificate. Example: Finance
  • L (City/Locality): The city where your organization is located. Example: London
  • ST (State/County/Region): The state/region where your organization is located. This shouldn't be abbreviated. Example: Greater London
  • C (Country): The two-letter ISO code for the country where your organization is located. Example: GB
  • emailAddress (Email address): An email address used to contact your organization. Example:
  • publicKey (Public Key): The public key that will go into the certificate. It is part of the CSR.

Public signed SSL certificate

To create a signed SSL Certificate corresponding to your private key, you have three options here:
  1. Self-signing - Easy, free, and quick. Not trusted by browsers.
  2. Creating a certificate authority (CA) - Not difficult, but likely more effort. Still isn’t trusted by browsers.
  3. Paying a CA to create your certificate for you - Can be cheap (£10), pretty easy, and is trusted by browsers. letsencrypt provides a free service to sign your certificate.

We will use OpenSSL for this.
To generate a Key Pair (private key) and Certificate Signing Request (CSR), please do the following:
  1. Login to the host for which you need a signed certificate.
  2. Get host's Fully Qualified Domain Name (FQDN):
    host `hostname` | sed 's/\([^ ]*\)\ .*/\1/'
  3. Create a text file containing certificate information for the machine named ``
       default_bits = 2048
       prompt = no
       default_md = sha256
       req_extensions = req_ext
       distinguished_name = dn
       [ dn ]
       ST=Greater London
       O=Organisation Name
       OU=Organisation Unit Name
       [ req_ext ]
       subjectAltName = @alt_names
       [ alt_names ]
    NOTE: Make sure that you specify CN in alt_names section also. For CA6 certs, the CN is not automatically added to the SAN. If SAN is present, the CN is ignored and will not be trusted.
  4. Generate CSR and a 2048 bit RSA private key file:
    openssl req -new -sha256 -nodes -out hostname.csr -newkey rsa:2048 -keyout hostname.key -config <( cat cert.txt )
  5. To certify the certificate, submit the generated CSR request to a certifying authority. They will issue a public SSL certificate for you.
  6. Please verify the CSR, to ensure all information is correct. Use the following command:
    openssl req -noout -text -in hostname.csr
  7. As an alternative, to generate self-signed certificate, run:
    openssl x509 -req -sha256 -days 3650 -in hostname.csr -signkey hostname.key -out hostname.crt
    You can run combine all above steps in a single command to generate self-signed certificate:
    openssl req -x509 -nodes -days 3650 -subj "/C=GB/ST=Greater London/L=London/O=Organisation/OU=OrgUnit/" -newkey rsa:2048 -keyout hostname.key -out hostname.crt
    Here -nodes is to generate key in password-less mode. -nodes doesn't mean "nodes" but rather "no DES"
    Add -subj to suppress questions about the contents of the certificate. This is useful in automation.
  8. Please verify the certificate text and subject, to ensure all information is correct. Use the following command:
    openssl x509 -noout -text -in hostname.crt
    openssl x509 -noout -subject -in hostname.crt
  9. Create a PEM file, as many daemons use a PEM file that combines the .key and the .crt file together:
    cat hostname.key hostname.crt > hostname.pem

Connecting to services hosted using self-signed or custom CA

  1. Download the public SSL certificate from the web service URL:
    keytool -printcert -rfc -sslserver > ./abcd.public.cert.pem
  2. Add the downloaded certificate to your JDK trust store:
    keytool -keystore ${JAVA_HOME}/lib/security/cacerts -storepass changeit -importcert -file ./abcd.public.cert.pem -alias
  3. Alternatively, you can create a custom Java Keystore and add the public certificates of the services that you want to trust and connect to (using Java):
    keytool -genkey -keyalg RSA -alias customJavaKeyStore -keystore customJavaKeyStore.jks -storepass customJavaKeyStorePassword -validity 3650 -keysize 2048
    keytool -keystore customJavaKeyStore.jks -storepass customJavaKeyStorePassword -import -trustcacerts -file caRootCertFile.crt -alias caRootCertAlias
    keytool -keystore customJavaKeyStore.jks -storepass customJavaKeyStorePassword -import -file "hostname.crt" -alias hostNameCert
    where caRootCertFile.crt is the file containing the root certificate, caRootCertAlias is the alias representing the certificate, and customJavaKeyStore.jks is the file containing your trust store.
  4. Add the certificate to the start-up parameters:


Popular posts from this blog

ElasticSearch max file descriptors too low error

ElasticSearch 5.x requires a minimum of Max file descriptors 65536 and Max virtual memory areas 262144.
It throws an error on start-up if these are set to very low value.
ERROR: bootstrap checks failed max file descriptors [16384] for elasticsearch process is too low, increase to at least [65536] max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
Check current values using:
$ cat /proc/sys/fs/file-max 16384 $ cat /proc/sys/vm/max_map_count 65530 $ ulimit -Hn 16384 $ ulimit -Sn 4096
To fix this, following files need to change/add below settings:
Recommended: Add a new file 99-elastic.conf under /etc/security/limits.d with following settings:
elasticsearch - nofile 800000 elasticsearch - nproc 16384 defaultusername - nofile 800000 defaultusername - nproc 16384 Alternatively, edit /etc/sysctl.conf with following settings:
fs.file-max = 800000 vm.max_map_count=300000

Kafka performance tuning

Performance Tuning of Kafka is critical when your cluster grow in size. Below are few points to consider to improve Kafka performance:
Consumer group ID: Never use same exact consumer group ID for dozens of machines consuming from different topics. All of those commits will end up on the same exact partition of __consumer_offsets, hence the same broker, and this might in turn cause performance problems. Choose the consumer group ID to group_id+topic_name.
Skewed: A broker is skewed if its number of partitions is greater that the average of partitions per broker on the given topic. Example: 2 brokers share 4 partitions, if one of them has 3 partitions, it is skewed (3 > 2). Try to make sure that none of the brokers is skewed.
Spread: Brokers spread is the percentage of brokers in the cluster that has partitions for the given topic. Example: 3 brokers share a topic that has 2 partitions, so 66% of the brokers have partitions for this topic. Try to achieve 100% broker spread.
Leader skew…

Procedure for name and date of birth change (Pune)

For change of name, the form (scribd) is available free of cost at Government Book Depot (Shaskiya Granthagar), which is located near Collector’s office, next to Saint Helena's School. The postal address is:
Government Photozinco Press Premises and Book Depot,
5, Photozinco Press Road, Pune, MH, 411001.
Wikimapia link

Charges for name or date of birth change, in the Maharashtra Government Gazette:
INR 120.00 per insertion (for two copies of the Gazette)
For backward class applicants: INR 60.00
Charges for extra copy of the Gazette: INR 15.00 per copy (two copies are enough, so you may not want to pay extra for extra copies).

Backward class applicants are required to submit a xerox of caste certificate of old name as issued by the Collector of the District concerned.

Once the form is duly submitted, it normally takes 10 to 15 days for publication of advertisement in the Maharashtra Government Gazette. The Gazette copy reaches to the address filled in the form within next 7 to 15 day…