Create with SANs

A SAN is an alternative name or address for which a TLS certificate should be considered valid. A SAN can be either a DNS name or an IP address.

To create one, first place the following into a file named openssl.cnf, amending the [alt_name] section as appropriate:

distinguished_name = req_distinguished_name
req_extensions = v3_req

countryName = Country Name (2 letter code)
countryName_default = GB
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = London
localityName = Locality Name (eg, city)
localityName_default = Wood Green
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Luke Carrier
commonName = myname.tld
commonName_max = 64

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

DNS.1 = myname.tld
DNS.2 = myname
IP.1 =
IP.2 =

Create a private key:

openssl genrsa -out myname.tld.key 2048

Create a CSR:

openssl req \
        -new -out myname.tld.csr \
        -key myname.tld.key -config openssl.cnf \
        -subj '/C=GB/ST=London/L=Wood Green/O=Luke Carrier/OU=Technology/CN=myname.tld'

Finally, self-sign the certificate:

openssl x509 \
        -req -days 3650 \
        -in myname.tld.csr -signkey myname.tld.key \
        -out myname.tld.crt \
        -extensions v3_req -extfile openssl.cnf