Create a Subject Alternative Name (SAN) CSR with OpenSSL

Generate a private key:

$ openssl genrsa -out san.key 2048 && chmod 0600 san.key

Create a configuration file. Change alt_names appropriately.

$ cat << EOL > san.conf
[ req ]
default_bits       = 2048
default_keyfile    = san.key #name of the keyfile
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = GB
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = West Midlands
localityName                = Locality Name (eg, city)
localityName_default        = Birmingham
organizationName            = Organization Name (eg, company)
organizationName_default    = Example
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1   = www.example.com
DNS.2   = www.example.net
DNS.3   = www.example.org
EOL

Generate a CSR:

$ openssl req -new -nodes -sha256 -config san.conf -out san.csr

Verify:

$ openssl req -in san.csr -noout -text

3 thoughts on “Create a Subject Alternative Name (SAN) CSR with OpenSSL

  1. #Generate the cert 1 year

    openssl x509 -req -sha256 \
    -days 365 \
    -in san.csr \
    -signkey san.key \
    -out san.crt >/dev/null 2>&1

Leave a Reply

Your email address will not be published. Required fields are marked *