Create with SANs

A SAN is an alternative name or address for which a TLS certificate should be considered valid. A SAN can be either a DNS name or an IP address.

To create one, first place the following into a file named openssl.cnf, amending the [alt_name] section as appropriate:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = GB
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = London
localityName = Locality Name (eg, city)
localityName_default = Wood Green
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Luke Carrier
commonName = myname.tld
commonName_max = 64

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = myname.tld
DNS.2 = myname
IP.1 = 10.0.0.1
IP.2 = 10.0.0.2

Create a private key:

openssl genrsa -out myname.tld.key 2048

Create a CSR:

openssl req \
        -new -out myname.tld.csr \
        -key myname.tld.key -config openssl.cnf \
        -subj '/C=GB/ST=London/L=Wood Green/O=Luke Carrier/OU=Technology/CN=myname.tld'

Finally, self-sign the certificate:

openssl x509 \
        -req -days 3650 \
        -in myname.tld.csr -signkey myname.tld.key \
        -out myname.tld.crt \
        -extensions v3_req -extfile openssl.cnf

Backlinks