
Generating a Certificate Signing Request (CSR) with Subject Alternative Names (SAN) using OpenSSL is a straightforward process.
The OpenSSL command to generate a CSR with SAN is openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -subj "/C=US/ST=State/L=Locality/O=Organization/CN=example.com" -reqexts SAN -config <(cat openssl.cnf <(printf "[SAN]
subjectAltName=DNS:example.com,DNS:www.example.com")).
You can also use the subjectAltName option to specify multiple SAN values. For example, you can add multiple DNS entries by separating them with commas.
To specify multiple SAN values, you can use the subjectAltName option multiple times, like so: subjectAltName=DNS:example.com,DNS:www.example.com,DNS:blog.example.com.
Check this out: Openssl Example
Problem:
Firefox has stopped accepting self-signed certificates that don't have a SAN extension, this is because the "subject common name" fallback support was removed from certificate validation.
Since 2012, the CA Browser Forum Baseline Requirements have required the presence of the "subjectAltName" extension.
Firefox from version 101.0 onwards only uses SAN for matching domain names to certificates, and no longer relies on the subject common name.
This change affects self-signed certificates for internal devices, which need to be regenerated to include the SAN extension.
The use of subject common name was deprecated in RFC 2818, and it's now mandatory to include the SAN extension in certificates.
Here's an interesting read: Openssl Subject Alternative Name
Solution
To create a Certificate Signing Request (CSR) with Subject Alternative Names (SAN), you'll need to generate a config file on your local environment, specifically a `san.cnf` file.
This file will contain the necessary information for your SAN certificate, including the DNS names you want to include.
The next step is to generate the CSR referencing the `san.cnf` config file using the `openssl req` command, like this: `openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout server-key.pem -config san.cnf`.
To verify the SANs present within the CSR, you can use the `openssl req` command with the `-noout` and `-text` options, and then pipe the output to `grep DNS`, like this: `openssl req -noout -text -in sslcert.csr | grep DNS`.
It's worth noting that extensions in certificates are not transferred to certificate requests and vice versa, so you'll need to add the SAN extensions to the certificate explicitly.
Here are the basic steps to create a CSR with SAN:
- Create a `san.cnf` file on your local environment
- Generate the CSR referencing the `san.cnf` config file
- Verify the SANs present within the CSR
Generating CSR
To generate a Certificate Signing Request (CSR) with Subject Alternative Names (SAN), you'll need to create a configuration file. This file is created using a text editor of your choice, such as Notepad or TextEdit, and is saved as "synology-1512.cnf".
A CSR is generated using the OpenSSL command line. To create a new CSR with SAN, you'll need to use the "openssl generate csr with san" command line. This command will be used in the next step to create a certificate.
If you encounter an error while generating the CSR, adding "-subj /" to the end of the command may resolve the issue. This was suggested by a user who had a similar problem and was able to fix it by making this addition.
Consider reading: Create Pfx from Crt and Key Openssl
Verifying and Signing
Verifying and signing your Certificate Signing Request (CSR) with Subject Alternative Name (SAN) is a crucial step in the process.
First, verify the content of your CSR to ensure it contains the Subject Alternative Name section under "Requested Extensions".
Explore further: Website Name Generator Free
Your CSR should contain all the IP Address and DNS values you provided while generating the CSR for SAN.
To sign your CSR, use the OpenSSL command with the -extfile argument, specifying the filename of your Subject Alternative Name extension.
Here's a step-by-step guide to signing your CSR with SAN:
- Use the OpenSSL command `openssl x509` to create a SAN certificate.
- Specify the server.csr file and the CA Certificate Chain and CA key.
- Set the certificate validity to 365 days and the algorithm to sha256.
- Provide the passphrase for your CA key using the -passin argument.
Featured Images: pexels.com


