This article describes how to create a Certificate Signing Request (CSR) and key file for a Subject Alternative Name (SAN) certificate with multiple subject alternate names.
To create a Certificate Signing Request (CSR) and key file for a Subject Alternative Name (SAN) certificate with multiple subject alternate names, complete the following procedure:
- Create an OpenSSL configuration file (text file) on the local computer by editing the fields to the company requirements.Note 1: In the example used in this article the configuration file is req.conf.Note 2: req_extensions will put the subject alternative names in a CSR, whereas x509_extensions would be used when creating an actual certificate file. [req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no
C = US ST = VA L = SomeCity O = MyCompany OU = MyDivision CN = www.company.com
keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names
DNS.1 = www.company.com DNS.2 = company.com DNS.3 = www.company.net DNS.4 = company.net
Run the following commands to create the Certificate Signing Request (CSR) and a new Key file:
openssl req -new -out company_san.csr -newkey rsa:2048 -nodes -sha256 -keyout company_san.key.temp -config req.conf
Run the following command to verify the Certificate Signing Request:
openssl req -text -noout -verify -in company_san.csr
Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=VA, L=SomeCity, O=MyCompany, OU=MyDivision, CN=www.company.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): … Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Key Usage: Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:www.company.net, DNS:company.com, DNS:company.net Signature Algorithm: sha256WithRSAEncryption
Download the Certificate Signing Request file company_san.csr and provide it to your certification authority of choice for signing.