Skip to content

Instantly share code, notes, and snippets.

@spawnrider
Last active June 16, 2023 20:59
Show Gist options
  • Save spawnrider/ed47d107f438f6af23be17e1e2ed0265 to your computer and use it in GitHub Desktop.
Save spawnrider/ed47d107f438f6af23be17e1e2ed0265 to your computer and use it in GitHub Desktop.
Creating a multi-domain (SAN) SSL certificate using OpenSSL

Creating a multi-domain (SAN) SSL certificate using OpenSSL

Introduction

This minimalist post is about creating a private key and a certificate signing request (CSR) for a SAN SSL certificate using OpenSSL. These commands was tested on the Mac OS command line using iTerm 2.

Generate the private key

Run the following command for generating the private key : openssl genrsa -out acme.com.key 2048

Generate the certificate signing request (CSR)

Create an OpenSSL config file with the following content and named it acme.com.cnf :

[ req ]
default_bits            = 2048
encrypt_key             = no
default_md              = sha256
utf8                    = yes
string_mask             = utf8only
prompt                  = no
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName         = FR
stateOrProvinceName = Ile-de-France
localityName        = PARIS LA DEFENSE
organizationName    = ACME GROUPE
organizationalUnitName = IS Services
commonName          = acme.com

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = acme.com
DNS.2 = subdomain.acme.com
DNS.3 = another.acme.com

Adapt the content using your domain (commonName attribute) and subdomains (alt_names.DNS.X values).

Run the following command for generating the CSR : openssl req -new -sha256 -out acme.com.csr -key acme.com.key -config acme.com.cnf

Verify the certificate signing request (CSR)

You can verify the generated CSR on the CLI using : openssl req -in acme.com.csr -noout -text

The content must be like this :

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=FR, ST=Ile-de-France, L=PARIS LA DEFENSE, O=ACME GROUPE, OU=IS Services, CN=acme.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
                    <content>
                    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
                    c9:bf
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:acme.com, DNS:subdomain.acme.com, DNS:another.acme.com
    Signature Algorithm: sha256WithRSAEncryption
         00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
         <content>
         00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
@scomo
Copy link

scomo commented Jun 16, 2023

how would we do this with -addext on the commandline?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment