How to create a TLS certificate with subject alternative name (SAN)

There are many articles on the internet on how to generate a TLS certficate with the Subject Alternative Name (SAN) extension, but most of them won't work anymore. So here is another one, which hopefully works (tested with OpenSSL 1.1.1a).

1. Create a config file

First we will create a config file. I added some comments on the lines which you might want to adjust to your needs.

[ req ]
default_bits       = 4096                    # default key size (RSA is default algorithm)
prompt = no                                    
default_md = sha256                          # SHA256 as signature algorithm for the certificate
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
C=US                                         # adjust these values to your organization/company/whatever
ST=Some State 
L=Some Town
O=Some Org
emailAddress=someone@someorghere.net
CN=SomeOrg

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1   = someorghere.net                    # 1st SAN entry
DNS.2   = www.someorghere.net                # 2nd SAN entry or course you can add more

2. Generate a private key and a Certificate Signing Request (CSR)

I assume here that you saved the config file above as someorg_san.cnf. The -nodes switch makes sure that the private key is not encrypted.

$ openssl req -new -nodes -out someorg.csr -keyout someorg.key -config someorg_san.cnf
Generating a RSA private key
...................................+++
.......................................................................................................................+++
writing new private key to 'someorg.key'
-----

3. Create the certificate

Finally we create the certificate. Here the certificate is valid for 365 days.

$ openssl x509 -req -days 365 -in someorg.csr -signkey someorg.key -out someorg.pem -extensions req_ext -extfile someorg_san.cnf 
Signature ok
subject=C = US, ST = Some State, L = Some Town, O = Some Org, emailAddress = someone@someorghere.net, CN = SomeOrg
Getting Private key

4. Check the certificate

Last but not least let's check if everything went right. For this we print the certificate in readable manner and grep for the Subject Alternative Name entry.

$ openssl x509 -in someorg.pem -noout -text | grep -iA1 'Subject Alternative Name'  
            X509v3 Subject Alternative Name: 
                DNS:someorghere.net, DNS:www.someorghere.net
As you can see the extensions was added successfully. Hooray.

comments (0) - add comment

No comments so far, leave one?