Home > OpenSSL > OPENSSL: GENERATE A CSR WITH SAN NAMES IN IT

OPENSSL: GENERATE A CSR WITH SAN NAMES IN IT

SAN certificates are great when you need to protect several websites with ssl. In a SAN certificate, the “Subject  Alternative Name” is used for the different names you want to associate with the certificate.

One of the advantages of a SAN certificate, is that additional names can be added later. To get this accomplished, you need to generate a new CSR with al the existing names AND the new names in it! I use openssl to generate the CSR. To get SAN names in the CSR, you have to edit the openssl configuration file.

This example is based on cygwin.

1. edit \cygwin\usr\ssl\openssl.cnf

2. @line 121: uncomment req_extensions = v3_req

3. @line 211: under [ v3_req ], add the following:

## lines added to get SAN fields in CSR
# Some CAs do not yet support subjectAltName in CSRs.
# Instead the additional names are form entries on web
# pages where one requests the certificate…
subjectAltName          = @alt_names

[alt_names]
DNS.1   = www.example.com
DNS.2   = www.example2.com
DNS.3   = www.example3.com

You can check the newly created request to ensure that the SAN names are in it:

$ openssl req -text -noout -verify -in cert.req

Categories: OpenSSL Tags:
  1. No comments yet.
  1. No trackbacks yet.