Paul Bradley • Solutions Architect & Software Developer


Published:

Generating a CSR for a multi-domain SAN certificate

midjourney ai - epic scene in the style of Bayeux Tapestry, knights fighting vikings

Create a CSR for a Multi-Domain SSL Certificate using OpenSSL

At work we are moving away from using wildcard certificates. Instead we’re using certificates with defined Subject Alternative Names. Today I had to generate a certificate signing request (CSR) for such a domain, so I’ve wrote up the process for future reference. If you find it useful, then it’s been worth posting.

To generate a CSR with multiple subject alternative names you’ll need change your OpenSSL configuration file. Start by taking a backup of the existing configuration. I’m using Ubuntu as my main development machine, so my OpenSSL configuration is located in the /etc/ssl directory; so to backup the configuration I copied the existing cnf file like:

sudo cp /etc/ssl/openssl.cnf \
        /etc/ssl/openssl.cnf.backup

Using the editor of your choice open the config file to edit its contents. Look for the [ req ] section. Uncomment the following line: If you don’t see the line, add it under [ req ]. This will direct OpenSSL to read the [ v3_req ] section.

# The extensions to add to a certificate request
req_extensions = v3_req

Scroll down the file until you see [ v3_req ] and add the following line: This will direct the config file to read alt names.

[ v3_req ]
subjectAltName = @alt_names

Then at the end of your configuration file, add an alt_names section and list all the different sub domains you wish to include within the certificate signing request (CSR).

[alt_names]
DNS.1=signalsix.co.uk
DNS.2=www.signalsix.co.uk
DNS.3=api.signalsix.co.uk
DNS.4=testing.signalsix.co.uk

Save the configuration file and exit your text editor.

Generate a Key File and a CSR

Before we generate our CSR (Certificate Signing Request) we first need to create a new key file:

openssl genrsa -des3 -out san.signalsix.co.uk.key 2048

Use the following OpenSSL command to generate your CSR. Change the -subj line so that values match your Country, State, Location and Organisational name.

openssl req -key san.signalsix.co.uk.key \
        -new -out san.signalsix.co.uk.csr \
        -subj "/C=GB/ST=Cumbria/L=Carlisle/O=Signal Six/CN=signalsix.co.uk"