I’ve recently changed my ssl certificates to fix some problems regarding subdomain handling. As firefox and other browsers complained:
You have attempted to establish a connection with “blogs.nopcode.org”. However the security certificate presented belongs to “nopcode.org” (…)
My SSL certificates are not self-signed, I use a CA known as CAcert instead. This is one of their a logos:
I’ve joined that CA six months ago and I’m really happy with it. I’ve learnt lots of issues about SSL, certificate generation, CA’s, security devices, trust policies, server configurations, code signing, etc…
If you want to know more about certificates, check cacert’s wiki, there’s a lot of interesting stuff there, including how to join CAcert’s WoT ;)
Next I’m gonna explain how easy it was to generate a certificate for my main domain and subdomains: I’ve simply used a helper perl script to generate a CSR and a private key. Then, I’ve sent that CSR to CAcert, and they sent back to me my server certificate. Then, with a certificate signed by CAcert, and my private key file, I’m now able to secure my services (imap, smtp, www and jabber).
The script execution went like this:
# ./subjectAltname.pl Generate SSL Cert stuff for SAPI FQDN/Keyname for Cert (ie www.example.com) :nopcode.org Alt Names (ie www1.example.com or <return> for none) :blogs.nopcode.org Alt Names (ie www1.example.com or </return><return> for none) :www.nopcode.org Alt Names (ie www1.example.com or </return><return> for none) :ftp.nopcode.org (... more sub-domains ...) Alt Names (ie www1.example.com or </return><return> for none) :voip.nopcode.org Alt Names (ie www1.example.com or </return><return> for none) : Host short name (ie imap big_srv etc) :nopcode Attempting openssl... Generating a 2048 bit RSA private key ..+++ ...................+++ writing new private key to '/somewhere/privatekey.pem' ----- writing csr to /somewhere/csr.pem... Take the contents of /somewhere/csr.pem and go submit them to receive an SSL ID. When you receive your public key back, you 'should' name it something like 'something.pem'. </return>
If you just want to issue a certificate for one single TLD (instead of using subjectAltName SSL attribute for subdomains), you only have to write:
# openssl req -nodes -new -keyout private.key -out server.csr
EDIT: There is a strong reason against using self-signed certificates.