openssl command to generate csr with subject alternative names

Author

Reads 1.2K

Hands using a TAN generator next to a laptop for secure online banking transactions.
Credit: pexels.com, Hands using a TAN generator next to a laptop for secure online banking transactions.

Generating a Certificate Signing Request (CSR) with Subject Alternative Names (SAN) using OpenSSL is a straightforward process.

The OpenSSL command to generate a CSR with SAN is openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -subj "/C=US/ST=State/L=Locality/O=Organization/CN=example.com" -reqexts SAN -config <(cat openssl.cnf <(printf "[SAN]

subjectAltName=DNS:example.com,DNS:www.example.com")).

You can also use the subjectAltName option to specify multiple SAN values. For example, you can add multiple DNS entries by separating them with commas.

To specify multiple SAN values, you can use the subjectAltName option multiple times, like so: subjectAltName=DNS:example.com,DNS:www.example.com,DNS:blog.example.com.

Check this out: Openssl Example

Problem:

Firefox has stopped accepting self-signed certificates that don't have a SAN extension, this is because the "subject common name" fallback support was removed from certificate validation.

Since 2012, the CA Browser Forum Baseline Requirements have required the presence of the "subjectAltName" extension.

Firefox from version 101.0 onwards only uses SAN for matching domain names to certificates, and no longer relies on the subject common name.

This change affects self-signed certificates for internal devices, which need to be regenerated to include the SAN extension.

The use of subject common name was deprecated in RFC 2818, and it's now mandatory to include the SAN extension in certificates.

Here's an interesting read: Openssl Subject Alternative Name

Solution

Credit: youtube.com, How to create CSR for multiple domains (SAN - Subject Alternative Name) using OpenSSL ?

To create a Certificate Signing Request (CSR) with Subject Alternative Names (SAN), you'll need to generate a config file on your local environment, specifically a `san.cnf` file.

This file will contain the necessary information for your SAN certificate, including the DNS names you want to include.

The next step is to generate the CSR referencing the `san.cnf` config file using the `openssl req` command, like this: `openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout server-key.pem -config san.cnf`.

To verify the SANs present within the CSR, you can use the `openssl req` command with the `-noout` and `-text` options, and then pipe the output to `grep DNS`, like this: `openssl req -noout -text -in sslcert.csr | grep DNS`.

It's worth noting that extensions in certificates are not transferred to certificate requests and vice versa, so you'll need to add the SAN extensions to the certificate explicitly.

Here are the basic steps to create a CSR with SAN:

  • Create a `san.cnf` file on your local environment
  • Generate the CSR referencing the `san.cnf` config file
  • Verify the SANs present within the CSR

Generating CSR

Credit: youtube.com, OpenSSL Step By Step Tutorial | How to Generate Keys, Certificates & CSR Using OpenSSL

To generate a Certificate Signing Request (CSR) with Subject Alternative Names (SAN), you'll need to create a configuration file. This file is created using a text editor of your choice, such as Notepad or TextEdit, and is saved as "synology-1512.cnf".

A CSR is generated using the OpenSSL command line. To create a new CSR with SAN, you'll need to use the "openssl generate csr with san" command line. This command will be used in the next step to create a certificate.

If you encounter an error while generating the CSR, adding "-subj /" to the end of the command may resolve the issue. This was suggested by a user who had a similar problem and was able to fix it by making this addition.

Verifying and Signing

Verifying and signing your Certificate Signing Request (CSR) with Subject Alternative Name (SAN) is a crucial step in the process.

First, verify the content of your CSR to ensure it contains the Subject Alternative Name section under "Requested Extensions".

Credit: youtube.com, How to Sign a CSR with OpenSSL

Your CSR should contain all the IP Address and DNS values you provided while generating the CSR for SAN.

To sign your CSR, use the OpenSSL command with the -extfile argument, specifying the filename of your Subject Alternative Name extension.

Here's a step-by-step guide to signing your CSR with SAN:

  • Use the OpenSSL command `openssl x509` to create a SAN certificate.
  • Specify the server.csr file and the CA Certificate Chain and CA key.
  • Set the certificate validity to 365 days and the algorithm to sha256.
  • Provide the passphrase for your CA key using the -passin argument.

Margaret Schoen

Writer

Margaret Schoen is a skilled writer with a passion for exploring the intersection of technology and everyday life. Her articles have been featured in various publications, covering topics such as cloud storage issues and their impact on modern productivity. With a keen eye for detail and a knack for breaking down complex concepts, Margaret's writing has resonated with readers seeking practical advice and insight.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.