Generating a CSR for a multi-domain SAN certificate
Create a CSR for a Multi-Domain SSL Certificate using OpenSSL
At work we are moving away from using wildcard certificates. Instead we’re using certificates with defined Subject Alternative Names. Today I had to generate a certificate signing request (CSR) for such a domain, so I’ve wrote up the process for future reference. If you find it useful, then it’s been worth posting.
To generate a CSR with multiple subject alternative names you’ll need change your OpenSSL configuration file. Start by taking a backup of the existing configuration. I’m using Ubuntu as my main development machine, so my OpenSSL configuration is located in the /etc/ssl directory; so to backup the configuration I copied the existing cnf file like:
sudo cp /etc/ssl/openssl.cnf \ /etc/ssl/openssl.cnf.backup
Using the editor of your choice open the config file to edit its contents. Look for the [ req ] section. Uncomment the following line: If you don’t see the line, add it under [ req ]. This will direct OpenSSL to read the [ v3_req ] section.
# The extensions to add to a certificate request req_extensions = v3_req
Scroll down the file until you see [ v3_req ] and add the following line: This will direct the config file to read alt names.
[ v3_req ] subjectAltName = @alt_names
Then at the end of your configuration file, add an alt_names section and list all the different sub domains you wish to include within the certificate signing request (CSR).
[alt_names] DNS.1=signalsix.co.uk DNS.2=www.signalsix.co.uk DNS.3=api.signalsix.co.uk DNS.4=testing.signalsix.co.uk
Save the configuration file and exit your text editor.
Generate a Key File and a CSR
Before we generate our CSR (Certificate Signing Request) we first need to create a new key file:
openssl genrsa -des3 -out san.signalsix.co.uk.key 2048
Use the following OpenSSL command to generate your CSR. Change the -subj line so that values match your Country, State, Location and Organisational name.
openssl req -key san.signalsix.co.uk.key \ -new -out san.signalsix.co.uk.csr \ -subj "/C=GB/ST=Cumbria/L=Carlisle/O=Signal Six/CN=signalsix.co.uk"