Create Certificate Signing Request with Multiple Subject Alternative Names

by Ramses Soto-Navarro ramses@sotosystems.com, 2/8/2022

Overview
Create CNF
Create CSR
Verify CSR


Overview

Brief on how to create a certificate request with multiple subject alternative name.

Create CNF

Create an OpenSSL configuration file:

# mkdir /etc/ssl/mycerts && cd /etc/ssl/mycerts

# vi example.com.cnf
[ req ]
default_bits        = 2048
distinguished_name  = req_distinguished_name
req_extensions      = v3_req
distinguished_name  = req_distinguished_name
prompt              = no
output_password     = mypass

[ req_distinguished_name ]
countryName		= US
stateOrProvinceName	= Florida
localityName		= Example County
organizationName	= Example Corporation
organizationalUnitName  = IT Department
commonName		= example.com
emailAddress		= admin@example.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage         = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth,serverAuth
subjectAltName   = @alt_names

[alt_names]
DNS.1   = *.example.com
DNS.2   = example.com

Create CSR

Create the certificate signing request:

# openssl req -out example.com.csr -newkey rsa:2048 -nodes -keyout example.com.priv.key -config example.com.cnf

Verify CSR

Verify that the CSR has the correct subject alternative names:

# openssl req -noout -text -in example.com.csr | grep DNS


The End.