Parliament Hill Computers LtdParliament Hill Computers Ltd

Understanding and generating OpenSSL.cnf files

OpenSSL.cnf files

Why are they so hard to understand ?

The documentation is poor, there are too many ways of doing the same thing, the examples are overly complex for the purpose of simple web servers.

Learning from that we have a simple, commented, template that you can edit. It is in the directory SSLConfigs.

Creating your first some-domain.cnf

Decide on a name for the certificate family, eg my-family A family is a set of related web sites. In the example below,, etc are all in one family. The point about a family is that they all share one certificate.

Copy EXAMPLE.cnf to a meaningful name, eg my-family.cnf

Modify the 7 lines that start countryName=. What we put is:

	countryName=            UK
	stateOrProvinceName=    Hertfordshire
	localityName=           Watford
	organizationName=       Parliament Hill Computers
	organizationalUnitName= Web Server

If you have more than one web site address, then you need to put then in the alt_names section at the bottom. You can put up to 99 extra names. What we put included:

	DNS.1 =
	DNS.2 =
	DNS.3 =
	DNS.4 =

If you do not have any then comment out the line that references the section:

     # subjectAltName = @alt_names

Complete example

Here is a complete example ssl.cnf file.

Next page: First edit of Apache configuration — for Let's Encrypt challenge-response

Return to How to Configure Let's Encrypt with

Return to tutorial home.

If you want any help using the above, or have any comments or suggestions, please contact us.