Skip to content

Instantly share code, notes, and snippets.

Star You must be signed in to star a gist
What would you like to do?
Generate ssl certificates with Subject Alt Names

Generate ssl certificates with Subject Alt Names on OSX

Open ssl.conf in a text editor.

Edit the domain(s) listed under the [alt_names] section so that they match the local domain name you want to use for your project, e.g.

DNS.1   =

Additional FQDNs can be added if required:

DNS.1   =
DNS.2   =
DNS.3   =

Create a directory for your project, e.g. my_project and save ssl.conf inside it.

Open Terminal and navigate to 'my_project':

cd my_project

Generate a private key:

openssl genrsa -out private.key 4096

Generate a Certificate Signing Request

openssl req -new -sha256 \
    -out private.csr \
    -key private.key \
    -config ssl.conf 

(You will be asked a series of questions about your certificate. Answer however you like, but for 'Common name' enter the name of your project, e.g. my_project)

Now check the CSR:

openssl req -text -noout -in private.csr

You should see this:

X509v3 Subject Alternative Name: and Signature Algorithm: sha256WithRSAEncryption

Generate the certificate

openssl x509 -req \
    -sha256 \
    -days 3650 \
    -in private.csr \
    -signkey private.key \
    -out private.crt \
    -extensions req_ext \
    -extfile ssl.conf

Add the certificate to keychain and trust it:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain private.crt

(Alternatively, double click on the certificate file private.crt to open Keychain Access. Your project name my_project will be listed under the login keychain. Double click it and select 'Always trust' under the 'Trust' section.)

If you are using MAMP Pro, add (or edit) a host with the server name you listed under the [alt_names] section of your ssl.conf. On the SSL tab select the Certificate file and Certificate key that you just generated.

Save changes and restart Apache.

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = England
localityName = Locality Name (eg, city)
localityName_default = Brighton
organizationName = Organization Name (eg, company)
organizationName_default = Hallmarkdesign
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = localhost
[ req_ext ]
subjectAltName = @alt_names
DNS.1 =
DNS.2 =
Copy link

one liner to generate self-signed certificate with subjectAltName for testing:

openssl req -new -newkey rsa:2048 -nodes \
  -subj "/C=GB/ST=England/L=Brighton/O=Example/CN=*" \
  -reqexts SAN \
  -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\,")) \
  -keyout example_com.key \
  -x509 -days 3650 -extensions SAN -out example_com.crt

Verify certificate:

openssl x509 -in /tmp/ -noout -text

Copy link

Thanks, it worked..

Copy link

Thank you very much. It worked.

Copy link

masayyed commented Dec 22, 2021

Thanks Thanks a lot man.

Copy link

Particular thanks for this bit.

openssl x509 -req \
    -extensions req_ext \
    -extfile ssl.conf

I looked far and wide for a way to transition usages from CSR to Certificate, and this was it.

Copy link

wibed commented Aug 5, 2023

id like to chip in. found this one liner

openssl req \
  -x509 \
  -newkey rsa:4096 \
  -sha256 \
  -days 3560 \
  -nodes \
  -keyout tls.key 
  -out tls.crt \                  
  -subj '/CN=localhost' \
  -extensions san \
  -config <(cat << EOF

im currently debugging so am not sure if this works, but i like the format

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment