How to generate a self-signed SAN SSL/TLS certificate using openssl
Generating a self-signed certificate is a common taks and the command to generate one with openssl is well known and well documented. Generating a certificate that includes subjectAltName is not so straght forward however. The following example demonstrates how to generate a SAN certificate without making a permanent change to the openssl configuration.
Generate a list of all required DNS names, (Note: CN will be discarded).
$ export SAN="DNS:www.domain.localdomain,DNS:domain.localdomain"
Generate a configuration with the addition of the san extension.
NOTE: On OSX [EL Capitan] the openssl configuration file path is: /System/Library/OpenSSL/openssl.cnf instead of the RHEL/CentOS default of /etc/pki/tls/openssl.cnf.
$ cat \
/etc/pki/tls/openssl.cnf \
- \
<<-CONFIG > /tmp/www.domain.localdomain.cnf
[ san ]
subjectAltName="${SAN:-root@localhost.localdomain}"
CONFIG
Generate the certificate using the additional parameters -config, -reqext, and -extensions:
$ openssl req \
-x509 \
-sha256 \
-nodes \
-newkey rsa:2048 \
-days 365 \
-reqexts san \
-extensions san \
-subj "/CN=www.domain.localdomain" \
-config /tmp/www.domain.localdomain.cnf \
-keyout /etc/pki/tls/private/www.domain.localdomain.crt \
-out /etc/pki/tls/certs/www.domain.localdomain.crt
Generate a new Diffie-Hellman Group
Warning! this takes a while...
$ openssl dhparam \
-out /tmp/dhparams.pem \
2048
Append the DH PARAMS to the certificate.
$ cat /tmp/dhparams.pem \
>> /etc/pki/tls/certs/www.domain.localdomain.crt