Skip to content

Instantly share code, notes, and snippets.

Last active April 20, 2017 13:41
Show Gist options
  • Save GC-Mark/fe92529be177a9d247f04811073d8345 to your computer and use it in GitHub Desktop.
Save GC-Mark/fe92529be177a9d247f04811073d8345 to your computer and use it in GitHub Desktop.
Create a Wildcard SubjectAltName Self-Signed Certificate
#!/usr/bin/env bash
# See:
# See:
# See:
# Make a temp directory and go there
TMP_DIR=$(mktemp -d)
echo $(pwd)
# Create an OpenSSL configuration file
cp /System/Library/OpenSSL/openssl.cnf openssl.cnf
# EDIT The file
# See:
# Generate the private key
openssl genrsa 4096 > private.key
# Generate the certificate
openssl req -new -x509 -nodes -sha256 -days 3650 -key private.key -out wild-san.crt -config openssl.cnf
Copy link

GC-Mark commented Apr 20, 2017

The first step to make the process easier and repeatable in the future is to copy the default configuration file from /etc/ssl/openssl.cnf to a working directory where you can adapt it

Let’s assume that you’ve copied /etc/ssl/openssl.cnf to ~/project-openssl.cnf. Edit the new file and set the various default values to the ones that you need — that’s better than having to respond to openssl’s prompts every time you run it.

For real non-self-signed certificates, you would generate a certificate signing request (.csr) file, ready for a certificate authority to sign it for you. In that case, you need to follow the instructions at

But for a self-signed certificate, the subjectAltName has to go in a different place. Make sure you’ve got this line present and un-commented in the [req] section of the config file:

x509_extensions = v3_ca

and then this goes at the end of the [v3_ca] section:

subjectAltName = @alt_names
DNS.1 =
DNS.2 =
DNS.3 =
DNS.4 =

There is (apparently) a limit to the number (or total length) of the alternate names, but I didn’t reach it with 11 domain names.

It’s also possible to add IP addresses to the alt_names section like this:

IP.1 =
IP.2 =

Then to create the key and self-signed certificate, run commands similar to these:

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout project.key -out project.crt -config ~/project-openssl.cnf
cp project.crt /etc/ssl/localcerts/
mv project.key /etc/ssl/private/

Note that I move (rather than copy) the key to the private directory to avoid leaving a copy of it lying around unprotected.

You can check that the certificate contains all the domains that you added by running this:

openssl x509 -in project.crt -text -noout | less

Alternative approach
I haven’t tried this, but according to it’s also possible to create a CSR and then self-sign it like this:

openssl x509 -req -days 3650 -in project.csr -signkey project.key
 -out project.crt v3_req -extfile project-openssl.cnf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment