Creating a self-signed certificate for multiple hostnames/IPs

By /

To allow the certificate to be used for multiple hostnames/IPs, these must be set in the certificate as Subject Alternative Names (SAN). SANs can be present in commercially signed certificates, as well as self-signed certificates.
The following describes the steps to create a self-signed certificate for use with Zoom:

  1. Create the encryption key and certificate. Import these into a Java JKS keystore file. This can be done in various ways, e.g. through either OpenSSL or Keytool utilities.
    • If using OpenSSL, the encryption key and certificate can be generated in separate steps using various options. Finally, the Keytool utility would be used to import the key and certificate into an identity keystore file.
    • If using Keytool directly, all the above steps can be combined into one. However, it supports fewer options in terms of various formats and encryption standards. However, this suffices for our current purpose.
      • Command: 
        keytool -genkey -alias <SOME-ALIAS-TO-STORE-AGAINST-IN-KEYSTORE-FILE> -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity <CERTIFICATE-VALIDITY-IN-DAYS> -keystore <IDENTITY-KEYSTORE-FILE-NAME> -storepass <PASSWORD, e.g. 7rx2~bn0~4k> -ext san=ip:<IP-OPTION-1>,dns:<HOSTNAME-OPTION-1>[,ip:<IP-OPTION-2>,dns:<HOSTNAME-OPTION-2>]
      • Example: 
        keytool -genkey -alias zoom-mam -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keystore identity.jks -storepass 7rx2~bn0~4k -ext san=ip:10.0.20.30,dns:mam.zoom.company.com,ip:127.0.0.1,dns:localhost
  2. Export the certificate from the identity keystore file to another file.
    • This step may not be needed in case OpenSSL is used since the certificate would have been generated as a separate file.
    • This step may not be needed in case OpenSSL is used since the certificate would have been generated as a separate file.
      • Command: 
        keytool -exportcert -v -alias <ALIAS-USED-ABOVE> -keystore <IDENTITY-KEYSTORE-FILE-NAME> -file <OUTPUT-CERTIFICATE-FILENAME>
      • Example: 
        keytool -exportcert -v -alias zoom-mam -keystore identity.jks -file zoom-mam.cert
  3. Import the certificate into a trust keystore file.
    • The trust keystore file is the one which will be distributed to all the clients, in order to verify certificate validity.
    • This is not needed when the certificate is commercially signed by a trusted Certifying Authority (CA), but only for self-signed certificates.
    • Enter the PASSWORD used above when prompted on the command-line.
      • Command: 
        keytool -importcert -alias <ALIAS-USED-ABOVE> -keystore <TRUST-KEYSTORE-FILE-NAME> -v -file <OUTPUT-CERTIFICATE-FILENAME>
      • Example: 
        keytool -importcert -alias zoom-mam -keystore trust.jks -v -file zoom-mam.cert