# cat req.conf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = PL
ST = Warsaw
L = Praga
O = CA Organization
OU = Praga
CN = freebsd13
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = mail.example-1.net
DNS.2 = mail.example-2.net
DNS.3 = mail.example-3.net
Create Key and Certificate
# openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout private/mail.key \
-out certs/mail.csr -config req.conf -extensions 'v3_req'
Add Subject Alternate Names to Certificate
# openssl req -x509 -nodes -days 1000 -key private/mail.key -out certs/mail.pem \
-config req.conf -extensions 'v3_req'
Verify Subject Alternate Names in Certificate
# openssl x509 -in certs/mail.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
23:49:a4:55:6b:f4:e5:4a:27:f9:4c:b8:21:73:1b:f6:f0:50:97:c5
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = PL, ST = Warsaw, L = Praga, O = CA Organization, OU = Praga, CN = free
bsd13
Validity
Not Before: Mar 23 10:23:19 2021 GMT
Not After : Dec 18 10:23:19 2023 GMT
Subject: C = PL, ST = Warsaw, L = Praga, O = CA Organization, OU = Praga, CN = fre
ebsd13
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:de:0c:91:f0:41:1f:99:8e:f6:9f:7b:fc:dd:c5:
9a:c3:d7:cb:46:b7:9a:7c:4c:5a:2f:5a:80:4f:3c:
a9:c3:0b:ce:da:9b:88:93:24:49:bc:45:1c:53:1b:
3c:18:4a:46:e7:d1:cd:83:8f:7c:22:f6:3c:55:17:
16:35:23:3e:56:aa:5d:32:db:64:3f:44:80:3b:79:
b6:a5:6b:c2:8d:63:73:c8:26:89:f4:52:1c:3d:82:
63:f5:33:9b:43:56:cf:e5:f9:bb:39:c1:77:23:76:
74:00:02:29:f7:d6:7c:62:8d:6a:3b:69:c7:d6:c0:
d8:39:d9:96:66:c2:e9:9c:3c:22:20:ef:62:d4:ea:
f2:db:0e:a3:81:64:bb:50:b6:9f:42:de:f6:3d:0e:
be:6e:ff:86:ce:c3:48:70:78:29:5f:86:4a:4c:7f:
21:44:12:31:32:64:d7:74:8b:bd:e7:74:f6:4b:cf:
cc:19:89:a0:6b:d7:e4:ba:c6:65:91:14:2c:a7:8f:
43:5a:e2:5e:24:ad:ab:41:f0:67:7d:39:3e:76:f2:
64:f6:cf:8c:2f:59:ee:1f:fb:98:74:37:4d:b9:49:
ac:5e:79:93:22:63:04:8e:0f:86:fb:cd:59:e9:87:
4c:06:0e:1d:74:56:3b:5f:3c:ac:f5:d9:6e:87:f6:
a7:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:mail.example-1.net, DNS:mail.example-2.net, DNS:mail.example-3.net
Signature Algorithm: sha256WithRSAEncryption
bb:50:fd:9f:cb:64:14:9d:48:48:a0:4f:ca:2d:37:f6:19:0e:
89:17:7c:9a:4d:ca:ce:e5:10:bc:c4:62:e8:71:3a:5f:3b:97:
0e:92:0d:3f:e4:64:0c:db:5f:62:92:a3:80:8d:0b:7a:51:ef:
7d:7d:3e:92:26:76:19:64:e9:71:6a:8e:0d:f9:5b:2f:e7:0e:
cd:60:6d:74:73:07:5f:3b:0c:12:d3:2d:df:70:ae:da:be:58:
18:26:43:63:3d:85:c2:f1:da:c3:e4:76:23:cb:1e:0b:52:1c:
12:af:f9:a9:dd:a9:da:f7:fc:bf:ac:d6:53:bd:16:5d:57:99:
f4:65:c9:51:b1:d5:61:a3:b9:50:54:b2:6b:85:8a:93:83:5f:
df:d1:dd:d5:1c:dd:a7:e1:31:60:e6:df:a7:39:ea:b6:72:a3:
45:27:20:40:0c:ae:07:6d:b5:ca:77:bc:42:9c:23:01:8c:99:
1e:5e:da:42:4b:3b:61:13:db:d3:d1:60:de:97:40:be:85:f7:
06:7d:e9:b4:72:6a:62:32:c9:63:ba:44:02:4c:36:a6:e2:a4:
f4:14:bd:2e:64:64:dd:a1:e0:3b:47:2b:d3:0c:5c:01:f0:ed:
17:b7:91:19:c2:d5:ff:65:04:31:07:4b:b6:70:d2:67:76:1b:
23:f1:c8:b7