{"id":187,"date":"2021-05-19T10:42:07","date_gmt":"2021-05-19T15:42:07","guid":{"rendered":"https:\/\/tech.my-netsol.com\/?p=187"},"modified":"2025-07-26T12:06:10","modified_gmt":"2025-07-26T17:06:10","slug":"how-to-create-a-csr-and-key-file-for-a-san-certificate-with-multiple-subject-alternate-names","status":"publish","type":"post","link":"https:\/\/tech.my-netsol.com\/?p=187","title":{"rendered":"How to Create a CSR and Key File for a SAN Certificate with Multiple Subject Alternate Names"},"content":{"rendered":"<p>&nbsp;<\/p>\n<section>\n<h2>Overview<\/h2>\n<p>If you&#8217;re working in IT infrastructure, web hosting, or managing secure connections for multiple domains\/subdomains, you&#8217;ve likely run across SAN certificates. These magic multi-host certs allow for <strong>Subject Alternative Names<\/strong>\u2014a necessity when you&#8217;re consolidating domains or managing microservices architecture.<\/p>\n<p>In this guide, I&#8217;ll show you how to create a <strong>Certificate Signing Request (CSR)<\/strong> and corresponding <strong>key file<\/strong> for a SAN certificate with multiple Subject Alternative Names. All you&#8217;ll need is OpenSSL, a configuration file, and a few minutes. Let&#8217;s dive in. \ud83d\udee0\ufe0f<\/p>\n<\/section>\n<section>\n<h2>Step 1: Create an OpenSSL Configuration File<\/h2>\n<p>First, you&#8217;ll need to create an OpenSSL configuration file on your local machine. This file defines certificate attributes, including SAN entries and other key details.<\/p>\n<p>Create a file\u2014let&#8217;s call it <code>req.conf<\/code>\u2014and define its contents as follows. Customize the fields (<code>C<\/code>, <code>ST<\/code>, <code>L<\/code>, etc.) based on your organization\u2019s needs:<\/p>\n<pre>[req]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\nprompt = no\n\n[req_distinguished_name]\nC = US\nST = Texas\nL = Austin\nO = MyOrganization\nOU = ITDepartment\nCN = www.example.com\n\n[v3_req]\nkeyUsage = keyEncipherment, dataEncipherment\nextendedKeyUsage = serverAuth\nsubjectAltName = @alt_names\n\n[alt_names]\nDNS.1 = www.example.com\nDNS.2 = example.com\nDNS.3 = www.example.net\nDNS.4 = example.net\n<\/pre>\n<p><strong>Note:<\/strong><\/p>\n<ul>\n<li><code>req_extensions<\/code> adds the Subject Alternative Names (SAN) to the CSR.<\/li>\n<li>If you were creating an actual certificate file (not a CSR), you&#8217;d use <code>x509_extensions<\/code> instead.<\/li>\n<\/ul>\n<\/section>\n<section>\n<h2>Step 2: Generate the CSR and Key File<\/h2>\n<p>Once your configuration file (<code>req.conf<\/code>) is ready, run the following OpenSSL command to generate both the CSR and the private key:<\/p>\n<pre>openssl req -new -out example_san.csr -newkey rsa:2048 -nodes -sha256 -keyout example_san.key.temp -config req.conf\n<\/pre>\n<h3>Explanation of Arguments:<\/h3>\n<ul>\n<li><code>-new<\/code>: Indicates you\u2019re creating a new CSR.<\/li>\n<li><code>-newkey rsa:2048<\/code>: Generates a 2048-bit RSA private key.<\/li>\n<li><code>-nodes<\/code>: Ensures the key is unencrypted (skip a passphrase).<\/li>\n<li><code>-sha256<\/code>: Specifies SHA-256 for the hashing algorithm.<\/li>\n<li><code>-config req.conf<\/code>: Points to your custom configuration file.<\/li>\n<\/ul>\n<p>The command outputs two files:<\/p>\n<ul>\n<li><strong><code>example_san.csr<\/code><\/strong>: Your Certificate Signing Request (send this to your Certificate Authority).<\/li>\n<li><strong><code>example_san.key.temp<\/code><\/strong>: The private key (keep this secure).<\/li>\n<\/ul>\n<\/section>\n<section>\n<h2>Step 3: Verify the CSR<\/h2>\n<p>Before you send the CSR to your Certificate Authority (CA), you might want to verify its contents to ensure it&#8217;s accurate:<\/p>\n<pre>openssl req -text -noout -verify -in example_san.csr\n<\/pre>\n<h3>Example Output:<\/h3>\n<pre>Certificate Request:\n    Data:\n        Version: 0 (0x0)\n        Subject: C=US, ST=Texas, L=Austin, O=MyOrganization, OU=ITDepartment, CN=www.example.com\n        Subject Public Key Info:\n            Public Key Algorithm: rsaEncryption\n                RSA Public-Key: (2048 bit)\n                Modulus: ...\n                Exponent: 65537 (0x10001)\n        Attributes:\n        Requested Extensions:\n            X509v3 Key Usage:\n                Key Encipherment, Data Encipherment\n            X509v3 Extended Key Usage:\n                TLS Web Server Authentication\n            X509v3 Subject Alternative Name:\n                DNS:www.example.com, DNS:example.com, DNS:www.example.net, DNS:example.net\n    Signature Algorithm: sha256WithRSAEncryption\n<\/pre>\n<p>Double-check that all the Subject Alternative Names (SANs) and other certificate attributes are as expected.<\/p>\n<\/section>\n<section>\n<h2>Step 4: Submit the CSR<\/h2>\n<p>Finally, download your CSR file (<code>example_san.csr<\/code>) and submit it to a Certificate Authority (CA) of your choice. Once signed, you\u2019ll receive the actual SAN certificate, ready to deploy across your environment.<\/p>\n<\/section>\n<section>\n<h2>Wrapping It Up<\/h2>\n<p>That\u2019s it! You now know how to create a CSR for SAN certificates using OpenSSL. Whether you\u2019re tackling SSL\/TLS challenges for multiple domains or spinning up multi-host services, SAN certificates can simplify and secure your workload.<\/p>\n<p>If you found this post helpful, share it with your fellow system admins, SREs, or networking pros. Got anything cool to add, or caught a killer edge-case? Let me know in the comments below or connect with me on LinkedIn \ud83d\udcec.<\/p>\n<\/section>\n<footer><strong>TL;DR:<\/strong><\/p>\n<ul>\n<li>Create an OpenSSL config file with <code>req_extensions<\/code> and SAN entries.<\/li>\n<li>Use <code>openssl req<\/code> to generate the CSR and private key.<\/li>\n<li>Verify the CSR, submit it to a CA, and deploy your SAN cert.<\/li>\n<\/ul>\n<p>Hashtags: <code>#SSL<\/code> <code>#Cybersecurity<\/code> <code>#SANCertificate<\/code> <code>#SysAdminTips<\/code> <code>#ITInfrastructure<\/code> <code>#OpenSSL<\/code> <code>#Networking<\/code> <code>#TLS<\/code><\/p>\n<\/footer>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; Overview If you&#8217;re working in IT infrastructure, web hosting, or managing secure connections for multiple domains\/subdomains, you&#8217;ve likely run across SAN certificates. These magic multi-host certs allow for Subject Alternative Names\u2014a necessity when you&#8217;re consolidating domains or managing microservices architecture. In this guide, I&#8217;ll show you how to create a Certificate Signing Request (CSR) &#8230; <a title=\"How to Create a CSR and Key File for a SAN Certificate with Multiple Subject Alternate Names\" class=\"read-more\" href=\"https:\/\/tech.my-netsol.com\/?p=187\" aria-label=\"Read more about How to Create a CSR and Key File for a SAN Certificate with Multiple Subject Alternate Names\">Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[11,4],"tags":[],"class_list":["post-187","post","type-post","status-publish","format-standard","hentry","category-linux","category-ssl"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/tech.my-netsol.com\/index.php?rest_route=\/wp\/v2\/posts\/187","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tech.my-netsol.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.my-netsol.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.my-netsol.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.my-netsol.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=187"}],"version-history":[{"count":1,"href":"https:\/\/tech.my-netsol.com\/index.php?rest_route=\/wp\/v2\/posts\/187\/revisions"}],"predecessor-version":[{"id":299,"href":"https:\/\/tech.my-netsol.com\/index.php?rest_route=\/wp\/v2\/posts\/187\/revisions\/299"}],"wp:attachment":[{"href":"https:\/\/tech.my-netsol.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.my-netsol.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.my-netsol.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}