How do I issue multiple certificates for the same Common Name?
Do you need dupes? Traditionally browsers and clients required that the CommonName field of the Subject name match the hostname; modern ones prefer that an entry in the SubjectAlternativeName (SAN) extension do so. You can set other fields to differ e.g.
O=Floo Manufacturing, OU=floo server 2016, CN=www.floo.example.com
O=Floo Manufacturing, OU=floo server 2017, CN=www.floo.example.com
and the Subject DNs are unique even though CommonName by itself is not.
Or with modern clients you could put www.floo.example.com
in SAN and use unique Subjects with no CommonName at all. But getting openssl to do per-cert SAN is a bit inconvenient; see e.g. https://security.stackexchange.com/questions/113484/followup-to-one-liner-to-create-cert-request-with-san
To allow dupes: the official way
In your config file (which is $CAROOT/intermediate/openssl.cnf
) go to the 'section' (delimited by lines of the form [somename]
with optional whitespace) for your CA. Since you didn't use -name
on the commandline the section name is the value of default_ca
in the [ca]
section or the default section (at the top before the first [somename]
line); looking near your link it's probably [CA_default]
. Add a line
unique_subject=no
with spacing and following # comment
optional. Or if you already have a line for this item change and/or uncomment it, but looking near your link you probably don't.
See man page ca(1ssl)
on your system or the web under CONFIGURATION FILE OPTIONS.
To allow dupes: the unofficial way
Empty (truncate) the configured database
file which is conventionally index.txt
and looking near your link they apparently use that. Or edit that file and delete the line(s) for the subject(s) you want to re-use -- but in this situation it looks like you have only one or a few and you want to re-use it or all of them, so emptying the file is simpler.
If you want to create multiple certificates with the same subject, you can change your configuration like that:
You can change in the CA section (probably [CA_default]
) in your openssl.cnf
the setting
unique_subject = no
But this setting is also saved in file index.txt.attr
, you have to change this, too. Otherwise it will not work.