new cert, old key

I've been using one form of lets encrypt or another for as long as its existed. Recently I setup a pretty cool way to get it to support wildcard subdomains on a registrar that doesn't actually support this but that's a story for another time. Today's tale is one of relearning how to do self signed certificates for the world of gemini.

When I first setup my gemini server, I used my main domain 8by3.net that was valid for ten years. That seemed like a long time. I used the following command to get a key and crt.

openssl req -x509 -newkey rsa:4096 -nodes -keyout 8by3.key -out 8by3.crt -days 3650 -subj "/CN=8by3.net"

A few weeks later I decided I might as well throw my three domains 8by3.net/org/com all on my instance and learning a little bit more about the nature of TOFU certificates and the PITA it is to rotate certs for anyone who has already visited you needed a way to do this. Perhaps optimisticly I also decided that ten years might not be as long as I had originally thought. A little bit of prudent searching and I found a solution that solved both my problems.

First, I used a cnf file to properly define my multi domain requirement. This is doubtless doable as a single command line argument but I had more luck with the input approach

[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
O  = 8by3
CN = 8by3.net

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = 8by3.net 
DNS.2 = 8by3.org
DNS.3 = 8by3.com

And then using the CNF generate a new CSR (Certificate Signing Request)

openssl req -new -key 8by3.key -out 8by3.csr -config 8by3.cnf

Finally the CSR + CNF + original key can be used to generate a new CRT

openssl x509 -req -days 36520 -in 8by3.csr -signkey 8by3.key -out new.8by3.crt --extensions req_ext -extfile 8by3.cnf

Deploying this new key to my gemini server and my browser was happy as punch to server all three domains, without complaint and I could see the expiry was now in 100 years.

🏷️ #others #tech #openssl #gemini #tls

Source