Generating a CSR for a multi-domain SAN certificate

Written by Paul Bradley

midjourney ai - epic scene in the style of Bayeux Tapestry, knights fighting vikings

Create a CSR for a Multi-Domain SSL Certificate using OpenSSL

At work we are moving away from using wildcard certificates. Instead we’re using certificates with defined Subject Alternative Names. Today I had to generate a certificate signing request (CSR) for such a domain, so I’ve wrote up the process for future reference. If you find it useful, then it’s been worth posting.

To generate a CSR with multiple subject alternative names you’ll need change your OpenSSL configuration file. Start by taking a backup of the existing configuration. I’m using Ubuntu as my main development machine, so my OpenSSL configuration is located in the /etc/ssl directory; so to backup the configuration I copied the existing cnf file like:

1sudo cp /etc/ssl/openssl.cnf \
2        /etc/ssl/openssl.cnf.backup

Using the editor of your choice open the config file to edit its contents. Look for the [ req ] section. Uncomment the following line: If you don’t see the line, add it under [ req ]. This will direct OpenSSL to read the [ v3_req ] section.

1# The extensions to add to a certificate request
2req_extensions = v3_req

Scroll down the file until you see [ v3_req ] and add the following line: This will direct the config file to read alt names.

1[ v3_req ]
2subjectAltName = @alt_names

Then at the end of your configuration file, add an alt_names section and list all the different sub domains you wish to include within the certificate signing request (CSR).

1[alt_names]
2DNS.1=signalsix.co.uk
3DNS.2=www.signalsix.co.uk
4DNS.3=api.signalsix.co.uk
5DNS.4=testing.signalsix.co.uk

Save the configuration file and exit your text editor.

Generate a Key File and a CSR

Before we generate our CSR (Certificate Signing Request) we first need to create a new key file:

1openssl genrsa -des3 -out san.signalsix.co.uk.key 2048

Use the following OpenSSL command to generate your CSR. Change the -subj line so that values match your Country, State, Location and Organisational name.

1openssl req -key san.signalsix.co.uk.key \
2        -new -out san.signalsix.co.uk.csr \
3        -subj "/C=GB/ST=Cumbria/L=Carlisle/O=Signal Six/CN=signalsix.co.uk"