How to Create a CSR and Key File for a SAN Certificate with Multiple Subject Alternate Names

by

Objective

This article describes how to create a Certificate Signing Request (CSR) and key file for a Subject Alternative Name (SAN) certificate with multiple subject alternate names.

Instructions

To create a Certificate Signing Request (CSR) and key file for a Subject Alternative Name (SAN) certificate with multiple subject alternate names, complete the following procedure:

  1. Create an OpenSSL configuration file (text file) on the local computer by editing the fields to the company requirements.Note 1: In the example used in this article the configuration file is req.conf.Note 2: req_extensions will put the subject alternative names in a CSR, whereas x509_extensions would be used when creating an actual certificate file. [req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no

[req_distinguished_name]

C = US ST = VA L = SomeCity O = MyCompany OU = MyDivision CN = www.company.com

[v3_req]

keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names

[alt_names]

DNS.1 = www.company.com DNS.2 = company.com DNS.3 = www.company.net DNS.4 = company.net

Run the following commands to create the Certificate Signing Request (CSR) and a new Key file:

		openssl req -new -out company_san.csr -newkey rsa:2048 -nodes -sha256 -keyout company_san.key.temp -config req.conf

Run the following command to verify the Certificate Signing Request:

		openssl req -text -noout -verify -in company_san.csr

Output:

		Certificate Request:
		Data:
		Version: 0 (0x0)
		Subject: C=US, ST=VA, L=SomeCity, O=MyCompany, OU=MyDivision, CN=www.company.com
		Subject Public Key Info:
		Public Key Algorithm: rsaEncryption
		RSA Public Key: (2048 bit)
		Modulus (2048 bit):
		…
		Exponent: 65537 (0x10001)
		Attributes:
		Requested Extensions:
		X509v3 Key Usage:
		Key Encipherment, Data Encipherment
		X509v3 Extended Key Usage:
		TLS Web Server Authentication
		X509v3 Subject Alternative Name:
		DNS:www.company.net, DNS:company.com, DNS:company.net
		Signature Algorithm: sha256WithRSAEncryption

Download the Certificate Signing Request file company_san.csr and provide it to your certification authority of choice for signing.