Overview
If you’re working in IT infrastructure, web hosting, or managing secure connections for multiple domains/subdomains, you’ve likely run across SAN certificates. These magic multi-host certs allow for Subject Alternative Names—a necessity when you’re consolidating domains or managing microservices architecture.
In this guide, I’ll show you how to create a Certificate Signing Request (CSR) and corresponding key file for a SAN certificate with multiple Subject Alternative Names. All you’ll need is OpenSSL, a configuration file, and a few minutes. Let’s dive in. 🛠️
Step 1: Create an OpenSSL Configuration File
First, you’ll need to create an OpenSSL configuration file on your local machine. This file defines certificate attributes, including SAN entries and other key details.
Create a file—let’s call it req.conf—and define its contents as follows. Customize the fields (C, ST, L, etc.) based on your organization’s needs:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = Texas L = Austin O = MyOrganization OU = ITDepartment CN = www.example.com [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = www.example.com DNS.2 = example.com DNS.3 = www.example.net DNS.4 = example.net
Note:
req_extensionsadds the Subject Alternative Names (SAN) to the CSR.- If you were creating an actual certificate file (not a CSR), you’d use
x509_extensionsinstead.
Step 2: Generate the CSR and Key File
Once your configuration file (req.conf) is ready, run the following OpenSSL command to generate both the CSR and the private key:
openssl req -new -out example_san.csr -newkey rsa:2048 -nodes -sha256 -keyout example_san.key.temp -config req.conf
Explanation of Arguments:
-new: Indicates you’re creating a new CSR.-newkey rsa:2048: Generates a 2048-bit RSA private key.-nodes: Ensures the key is unencrypted (skip a passphrase).-sha256: Specifies SHA-256 for the hashing algorithm.-config req.conf: Points to your custom configuration file.
The command outputs two files:
example_san.csr: Your Certificate Signing Request (send this to your Certificate Authority).example_san.key.temp: The private key (keep this secure).
Step 3: Verify the CSR
Before you send the CSR to your Certificate Authority (CA), you might want to verify its contents to ensure it’s accurate:
openssl req -text -noout -verify -in example_san.csr
Example Output:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Texas, L=Austin, O=MyOrganization, OU=ITDepartment, CN=www.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus: ...
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:www.example.com, DNS:example.com, DNS:www.example.net, DNS:example.net
Signature Algorithm: sha256WithRSAEncryption
Double-check that all the Subject Alternative Names (SANs) and other certificate attributes are as expected.
Step 4: Submit the CSR
Finally, download your CSR file (example_san.csr) and submit it to a Certificate Authority (CA) of your choice. Once signed, you’ll receive the actual SAN certificate, ready to deploy across your environment.
Wrapping It Up
That’s it! You now know how to create a CSR for SAN certificates using OpenSSL. Whether you’re tackling SSL/TLS challenges for multiple domains or spinning up multi-host services, SAN certificates can simplify and secure your workload.
If you found this post helpful, share it with your fellow system admins, SREs, or networking pros. Got anything cool to add, or caught a killer edge-case? Let me know in the comments below or connect with me on LinkedIn 📬.