Skip to content

Instantly share code, notes, and snippets.

Created October 14, 2017 13:12
  • Star 55 You must be signed in to star a gist
  • Fork 26 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Create self-signed SSL certificate with SubjectAltName(SAN)

How to create a self-signed SSL Certificate with SubjectAltName(SAN)

After Chrome 58, self-signed certificate without SAN is not valid anymore.

Step 1: Generate a Private Key

openssl genrsa -des3 -out 2048

Step 2: Generate a CSR (Certificate Signing Request)

openssl req -new -key -out
Enter pass phrase for
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:XX
State or Province Name (full name) []:State
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:BU
Common Name (eg, your name or your server's hostname) []:*
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Remove Passphrase from Key

openssl rsa -in -out

Step 4: Create config file for SAN

touch v3.ext

File content

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName         =, DNS:*
issuerAltName          = issuer:copy

Step 5: Generating a Self-Signed Certificate

openssl x509 -req -in -signkey -out -days 3650 -sha256 -extfile v3.ext


Copy link

worked like a charm, many thanks!

Copy link

At Step 1, you can generate an unprotected private key by omitting the -des3 flag:

openssl genrsa -out 2048

Doing so makes Step 3 unnecessary.

Copy link

This saved me a lot of headache, thanks for writing this down.

Copy link

Good one

Copy link


Copy link

Quick note, if you leave basicConstraints = CA:TRUE, Firefox will think your cert is a CA and deny your request.

Omitting that, will fix the issue you're getting the MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY issue. Worth noting that as far as I know, Firefox will deny all self signed certs, and you can't get around it with security exceptions.

Your best bet is to create a CA - and then use that to sign the CSR as above. Good luck!

Copy link

Actual hero

Copy link

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment