OpenSSL CSR with Subject Alternative Names

Tue 07 February 2012
By makefu

I had the requirement to create a certificate with a subject Alternative Name (additional dns names for the same host). Again it turned out not to be that simple. A extra configuration has to be created and the SubjectAltName can be added in this config for the Signing Request.

We will create a private key file together with a CSR.

SubjectAltName in Certificate Signing Request


cat > my.cnf <<EOF
[ req ]
default_bits        = 2048
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
req_extensions     = req_ext # The extentions to add to the self signed cert

[ req_distinguished_name ]
countryName           = Country Name (2 letter code)
countryName_default   = DE
stateOrProvinceName   = State or Province Name (full name)
stateOrProvinceName_default = Upper Corner
localityName          = Locality Name (eg, city)
localityName_default  = Internet
organizationName          = Organization Name (eg, company)
organizationName_default  = Krebs Co
commonName            = Common Name (eg, YOUR name)
commonName_default    =
commonName_max        = 64

[ req_ext ]
subjectAltName          = @alt_names

DNS.1   =
DNS.2   = euer

openssl req -new -nodes -out my.csr -config my.cnf
openssl req -noout -text -in my.csr