openssl-self-signed-cert-with-san.md

Create req.conf

# cat req.conf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = PL
ST = Warsaw
L = Praga
O = CA Organization
OU = Praga
CN = freebsd13
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = mail.example-1.net
DNS.2 = mail.example-2.net
DNS.3 = mail.example-3.net

Create Key and Certificate

# openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout private/mail.key \
              -out certs/mail.csr -config req.conf -extensions 'v3_req'

Add Subject Alternate Names to Certificate

# openssl req -x509 -nodes -days 1000 -key private/mail.key -out certs/mail.pem \
              -config req.conf -extensions 'v3_req'

Verify Subject Alternate Names in Certificate

# openssl x509 -in certs/mail.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            23:49:a4:55:6b:f4:e5:4a:27:f9:4c:b8:21:73:1b:f6:f0:50:97:c5
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = PL, ST = Warsaw, L = Praga, O = CA Organization, OU = Praga, CN = free
bsd13
        Validity
            Not Before: Mar 23 10:23:19 2021 GMT
            Not After : Dec 18 10:23:19 2023 GMT
        Subject: C = PL, ST = Warsaw, L = Praga, O = CA Organization, OU = Praga, CN = fre
ebsd13
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:de:0c:91:f0:41:1f:99:8e:f6:9f:7b:fc:dd:c5:
                    9a:c3:d7:cb:46:b7:9a:7c:4c:5a:2f:5a:80:4f:3c:
                    a9:c3:0b:ce:da:9b:88:93:24:49:bc:45:1c:53:1b:
                    3c:18:4a:46:e7:d1:cd:83:8f:7c:22:f6:3c:55:17:
                    16:35:23:3e:56:aa:5d:32:db:64:3f:44:80:3b:79:
                    b6:a5:6b:c2:8d:63:73:c8:26:89:f4:52:1c:3d:82:
                    63:f5:33:9b:43:56:cf:e5:f9:bb:39:c1:77:23:76:
                    74:00:02:29:f7:d6:7c:62:8d:6a:3b:69:c7:d6:c0:
                    d8:39:d9:96:66:c2:e9:9c:3c:22:20:ef:62:d4:ea:
                    f2:db:0e:a3:81:64:bb:50:b6:9f:42:de:f6:3d:0e:
                    be:6e:ff:86:ce:c3:48:70:78:29:5f:86:4a:4c:7f:
                    21:44:12:31:32:64:d7:74:8b:bd:e7:74:f6:4b:cf:
                    cc:19:89:a0:6b:d7:e4:ba:c6:65:91:14:2c:a7:8f:
                    43:5a:e2:5e:24:ad:ab:41:f0:67:7d:39:3e:76:f2:
                    64:f6:cf:8c:2f:59:ee:1f:fb:98:74:37:4d:b9:49:
                    ac:5e:79:93:22:63:04:8e:0f:86:fb:cd:59:e9:87:
                    4c:06:0e:1d:74:56:3b:5f:3c:ac:f5:d9:6e:87:f6:
                    a7:79
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:mail.example-1.net, DNS:mail.example-2.net, DNS:mail.example-3.net
    Signature Algorithm: sha256WithRSAEncryption
         bb:50:fd:9f:cb:64:14:9d:48:48:a0:4f:ca:2d:37:f6:19:0e:
         89:17:7c:9a:4d:ca:ce:e5:10:bc:c4:62:e8:71:3a:5f:3b:97:
         0e:92:0d:3f:e4:64:0c:db:5f:62:92:a3:80:8d:0b:7a:51:ef:
         7d:7d:3e:92:26:76:19:64:e9:71:6a:8e:0d:f9:5b:2f:e7:0e:
         cd:60:6d:74:73:07:5f:3b:0c:12:d3:2d:df:70:ae:da:be:58:
         18:26:43:63:3d:85:c2:f1:da:c3:e4:76:23:cb:1e:0b:52:1c:
         12:af:f9:a9:dd:a9:da:f7:fc:bf:ac:d6:53:bd:16:5d:57:99:
         f4:65:c9:51:b1:d5:61:a3:b9:50:54:b2:6b:85:8a:93:83:5f:
         df:d1:dd:d5:1c:dd:a7:e1:31:60:e6:df:a7:39:ea:b6:72:a3:
         45:27:20:40:0c:ae:07:6d:b5:ca:77:bc:42:9c:23:01:8c:99:
         1e:5e:da:42:4b:3b:61:13:db:d3:d1:60:de:97:40:be:85:f7:
         06:7d:e9:b4:72:6a:62:32:c9:63:ba:44:02:4c:36:a6:e2:a4:
         f4:14:bd:2e:64:64:dd:a1:e0:3b:47:2b:d3:0c:5c:01:f0:ed:
         17:b7:91:19:c2:d5:ff:65:04:31:07:4b:b6:70:d2:67:76:1b:
         23:f1:c8:b7