Generate a private key:
$ openssl genrsa -out san.key 2048 && chmod 0600 san.key
Create a configuration file. Change alt_names appropriately.
$ cat << EOL > san.conf
[ req ]
default_bits       = 2048
default_keyfile    = san.key #name of the keyfile
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = GB
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = West Midlands
localityName                = Locality Name (eg, city)
localityName_default        = Birmingham
organizationName            = Organization Name (eg, company)
organizationName_default    = Example
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = www.example.com
DNS.2   = www.example.net
DNS.3   = www.example.org
EOL
Generate a CSR:
$ openssl req -new -nodes -sha256 -config san.conf -out san.csr
Verify:
$ openssl req -in san.csr -noout -text

#Generate the cert 1 year
openssl x509 -req -sha256 \
-days 365 \
-in san.csr \
-signkey san.key \
-out san.crt >/dev/null 2>&1
That’s fine if you want a self-signed certificate.
Simple and Concise. Thank you!