Create with SANs
A SAN is an alternative name or address for which a TLS certificate should be considered valid. A SAN can be either a DNS name or an IP address.
To create one, first place the following into a file named openssl.cnf
, amending the [alt_name]
section as appropriate:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = GB
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = London
localityName = Locality Name (eg, city)
localityName_default = Wood Green
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Luke Carrier
commonName = myname.tld
commonName_max = 64
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = myname.tld
DNS.2 = myname
IP.1 = 10.0.0.1
IP.2 = 10.0.0.2
Create a private key:
openssl genrsa -out myname.tld.key 2048
Create a CSR:
openssl req \
-new -out myname.tld.csr \
-key myname.tld.key -config openssl.cnf \
-subj '/C=GB/ST=London/L=Wood Green/O=Luke Carrier/OU=Technology/CN=myname.tld'
Finally, self-sign the certificate:
openssl x509 \
-req -days 3650 \
-in myname.tld.csr -signkey myname.tld.key \
-out myname.tld.crt \
-extensions v3_req -extfile openssl.cnf
Backlinks