Hi Ralph,
If the internal team is familiar with openssl, they can use this tool to rapidly create a Server Side Cert with multiple SANs.
openssl may be used on both MS Windows OS and UNIX/Linux.
Below is an example that I use to create a Server Cert with multiple SANs, where the SANs may be a FDQN, Hostname, IP address.
See below where I used variables to populate many iterations of a SANSs FQDN.
For your example:
You have two (2) choices.
1) Create a basic Server side Cert with just the CN=domainname.com to ensure that it matches ANY host in the domain. But this may be too wide of a reach and may impact security governance requirements.
2) Use the SANs functionality of openssl, to create as many SANs (150) as you wish to the exact FDQN (even if the domain names are different)
/subjectAltName=DNS.1=$_FQDN01,DNS.2=$_FQDN02,DNS.3=valid.example.com, ........., DNS.150=valid.example.com"
https://tools.ietf.org/html/rfc5280#section-4.2.1.6
I am also enclosing the reference links used to build these scripts.
*** *** ***
###################################################
# Generate SSL KEY and CERTS
###################################################
SSL_HOME=/opt/CA/httpd/conf/ssl
_HOSTNAME=`hostname`
_FQDN=`hostname -f`
_IP=`hostname -i`
_PASSWORD=Password01
mkdir -p $SSL_HOME
echo "# Generate a server key"
openssl genrsa -aes256 -passout pass:$_PASSWORD -out $SSL_HOME/ssl.domain.com.server.key 4096
echo "# Generarate a cert request (csr) using above server key for "
echo "hostname = $_HOSTNAME, fqdn = $_FQDN, ip = $_IP"
openssl req -new -passin pass:$_PASSWORD -key $SSL_HOME/ssl.domain.com.server.key -out $SSL_HOME/ssl.domain.com.server.csr -subj "/C=US/ST=ST/L=CITY/O=Corp/OU=Dept/CN=$_HOSTNAME/emailAddress=CHANGE_ME@example.com/subjectAltName=DNS.1=$_FQDN,DNS.2=CHANGE_ME.example.com,DNS.3=valid.example.com,IP.1=$_IP,IP.2=192.168.255.254"
echo ""
echo "# Create self-signed cert (TO BE REPLACED BY VALID PUBLIC CERTS IN PRODUCTION BEFORE GO LIVE)"
openssl x509 -req -days 3650 -passin pass:$_PASSWORD -in $SSL_HOME/ssl.domain.com.server.csr -signkey $SSL_HOME/ssl.domain.com.server.key -out $SSL_HOME/ssl.domain.com.server.crt
echo ""
echo " Create non password proteced server key to allow auto start of Apache w/o Password required"
openssl rsa -passin pass:$_PASSWORD -in $SSL_HOME/ssl.domain.com.server.key -out $SSL_HOME/ssl.domain.com.server.nopassword.key
echo ""
echo ""
echo "Password protected version"
head -3 $SSL_HOME/ssl.domain.com.server.key
echo ""
echo ""
echo "Open / no password protection version"
head -3 $SSL_HOME/ssl.domain.com.server.nopassword.key
echo ""
echo ""
echo "# View the self-signed Certificate "
openssl x509 -in $SSL_HOME/ssl.domain.com.server.crt -text -noout
###################################################
Reference:
# http://www.thegeekstuff.com/2011/03/install-apache2-ssl/
# https://docs.jboss.org/author/display/AS71/Using+mod_jk+with+JBoss+AS7
# https://chrisjean.com/adding-ssl-support-to-apache-on-centos/
Cheers,
Alan Baugher