Many of the folks asked me on how to generate a CSR ( Certificate Signing Request ) and a key File for a SAN Certificate which includes multiple Subject Alternate Names in it.
Creating CSR for SAN certificate is no much different than regular certificate CSR generation other than including multiple Subject Alternate Names in it, here is the simple way of creating it using OpenSSL.
openssl req -new -out san.csr -newkey rsa:2048 -nodes -sha256 -keyout san.key -subj “/C=US/ST=Washington/L=SomeCity/O=Example. Inc./OU=IT/CN=www.example.com” -config <(
cat <<-EOF
[req]
default_bits = 2048
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
[ req_ext ]
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = site1.example.com
DNS.2 = site2.example.com
DNS.3 = site3.example.com
EOF
)
You just need to Change example.com references to your own website for which you wanted to generate CSR for SAN Certificate. It will generate two files with names san.key — Which is the Private Key for your Certificate and san.csr — which is the Signing Request for you to send it to Signing Authority to generate Certificate.
Once you generated the CSR, you can actually execute below command to verify that it generated the Certificate Request you needed.
localhost:tmp raj$ openssl req -text -noout -verify -in san.csr
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Washington, L=SomeCity, O=Example. Inc., OU=IT, CN=www.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ac:bd:a0:17:f7:e2:69:9d:1c:9d:88:16:60:e1:
2c:6b:a3:46:f0:15:29:a6:70:95:b1:eb:47:8f:1f:
52:19:13:da:76:da:2e:33:24:df:39:91:30:f4:87:
f3:f2:18:84:f7:9f:bf:d8:c8:bc:a8:79:22:e2:f7:
c1:80:a8:66:de:ac:6d:cf:02:98:61:82:fd:b0:cb:
ea:ae:97:cb:56:8d:88:2c:95:33:7f:6e:1b:7d:54:
6d:8e:8c:87:9b:f5:29:26:09:78:58:fe:4c:e4:66:
bd:6b:4b:eb:7a:3b:76:cc:61:8e:97:8e:1e:59:32:
76:9e:83:be:06:2a:dd:7a:01:9a:50:26:78:d2:7b:
6d:26:e6:ee:a7:74:51:ab:f1:4e:a9:19:a2:38:d7:
7b:6a:9a:81:34:b8:e6:b7:7c:04:40:38:a6:aa:54:
01:56:7d:b8:70:5c:52:ba:6f:95:91:f1:cb:2f:6d:
7b:a6:ff:0a:b8:ef:fa:fb:cb:d8:9f:60:d9:a2:14:
f6:18:b3:69:25:46:cf:e3:24:3f:03:84:a1:05:ba:
95:21:56:82:20:e8:3d:18:a7:a5:96:6d:e6:d4:f9:
cc:ea:a6:db:12:99:2e:cd:00:3d:c6:c5:f6:ec:16:
9e:c1:a0:37:f6:e0:9e:11:96:3e:59:61:cd:5c:6b:
ee:f3
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:site1.example.com, DNS:site2.example.com, DNS:site3.example.com
Signature Algorithm: sha256WithRSAEncryption
55:ca:37:6c:2b:98:f1:f1:b0:d6:1c:8f:a4:d1:f8:e0:c3:7a:
98:df:93:c3:f1:41:33:5c:12:91:21:00:2e:92:0d:9d:7a:f4:
6d:52:83:21:b0:4f:c7:bd:d5:16:5b:4a:84:92:a4:9e:78:fd:
62:68:4d:32:64:e8:4f:cb:07:82:84:89:50:61:b2:1d:76:70:
72:ac:22:c6:45:13:ca:03:bf:e4:15:ad:3a:19:be:d1:e7:57:
ab:01:c4:89:f7:db:4c:a2:70:00:1a:aa:59:47:92:19:0f:8a:
ef:87:f5:3b:e8:4e:83:8e:5d:21:92:b6:fb:a8:94:63:88:98:
0b:3f:25:88:76:5b:86:0c:0c:86:1b:25:a9:d5:b2:a6:d5:56:
f5:cc:90:30:60:ff:68:4f:52:20:bc:1a:6b:78:7f:a0:83:18:
ef:92:e7:6a:a1:3a:84:ae:d2:3d:14:22:af:ae:72:96:8e:3d:
bd:c8:97:be:dd:31:07:ff:0c:ed:bc:b6:02:bc:15:3f:26:41:
d3:c3:67:04:9b:13:5a:2d:0e:e6:2f:38:30:34:30:c0:0f:da:
cc:7e:29:b9:d2:9c:dd:e2:ce:c8:28:0f:ea:d3:d6:b0:6e:20:
fd:1c:fd:2c:1b:c0:31:1e:69:e6:d9:7d:3e:03:78:2e:bc:9c:
9d:91:4c:6b
localhost:tmp raj$
That’s all, Once you received the Signed certificate from Signing Authority you can import to your favorite Server using the Key which you generated in the above steps.
