Task $2.$c$.$ Certificate with multiple namesMany websites have different URLs. For example, www$.$example.com, www$.$example.org, example. com all point to the same web server. Due to the hostname matching policy enforced by most TLS client programs, the common name in a certificate must match with the servers hostname, or TLS clients will refuse to communicate with the server.To allow a certificate to have multiple names, the X$\mathrm{.}509$ specification defines extensions to be attached to a certificate. This extension is called Subject Alternative Name $($SAN$).$ Using the SAN extension, its possible to specify several hostnames in the subjectAltName field of a certificate.To generate a certificate signing request with such a field, we can use a configuration file, and put all the necessary information in this file $($the PKI lab shows how you can do everything in the command line$).$ The following configuration file gives an example. It specifies the content for the subject field and add a subjectAltName field in the extension. The field specifies several alternative names, including a wildcard name $*.$bank$32.$com. It should be noted that the field must also include the one from the common name field; otherwise, the common name will not be accepted as a valid name.Listing $3$: server openssl.cnf $[$ req $]$prompt $=$ no distinguished$\_$name $=$ req$\_$distinguished$\_$namereq$\_$extensions $=$ req$\_$ext $[$ req$\_$distinguished$\_$name $]$ C $=$USST $=$ New YorkL $=$ SyracuseO $=$XYZLTD$.$CN $=$ www$.$bank$32.$com $[$ req$\_$ext $]$subjectAltName $=$ @alt$\_$names$[$alt$\_$names$]$DNS$\mathrm{.}1=$ www$.$bank$32.$comDNS$\mathrm{.}2=$ www$.$example.com DNS$\mathrm{.}3=*.$bank$32.$comWe can use the following "openssl req" command to generate a pair of public$/$private keys and a certificate signing request:When the CA signs a certificate, for the security reason, by default, it does not copy the extension field from the certificate signing request into the final certificate. In order to allow the copying, we need to change the openssls configuration file. By default, openssl uses the configuration file openssl.cnf from the $/$usr$/$lib$/$ssl directory. Inside this file, the copy extensions option is disabled $($commented out$).$ We do not want to modify this system$-$wide configuration file. Let us copy it file to our own folder, and rename it as myopenssl.cnf$.$ We then uncomment the following line from this file:Now, we can use the following program to generate the certificate $($server$.$crt$)$ for the server from the certificate signing request $($server$.$csr$),$ and all the extension fields from the request will be copied to the final certificate. openssl req $-$newkey rsa:$2048-$config $./$server$\_$openssl.cnf $-$batch $\backslash -$sha$256-$keyout server.key $-$out server.csr # Extension copying option: use with caution. copy$\_$extensions $=$ copy openssl ca $-$md sha$256-$days $3650-$config $./$myopenssl$.$cnf $-$batch $\backslash -$in server.csr $-$out server.crt $\backslash -$cert ca$.$crt $-$keyfile ca$.$key