
Creating a secure server certificate with OpenSSL involves specifying the Subject Alternative Name (SAN) extension. This extension is crucial for enabling multiple domain names to be associated with a single certificate.
The SAN extension can be specified in the OpenSSL configuration file or directly on the command line when generating the certificate request. For example, you can add the following lines to your OpenSSL configuration file to specify the SAN extension: `subjectAltName = DNS:example.com, DNS:www.example.com`.
Each SAN entry must be separated by a comma and enclosed in quotes. The DNS: prefix is used to specify a domain name.
The SAN extension can be used to specify multiple domain names, such as example.com, www.example.com, and blog.example.com. This allows a single certificate to be used for multiple websites.
Expand your knowledge: Cannot Load Such File Openssl
Creating Certificates with OpenSSL
You can generate a Certificate Signing Request (CSR) with Alternative Names using a one-liner command with OpenSSL.
To do this, you need to specify all the common subject entries, including the Common Name (CN), Country (C), State (ST), City (L), Organization (O), Organization Unit (OU), and emailAddress. You also need to add the subjectAltName field and specify the DNS names you want to include.
Here's an example of how to generate a CSR that covers *.your-new-domain.com and your-new-domain.com in one command:
openssl req -new -newkey rsa:2048 -nodes -keyout your-new-domain.com.key -out your-new-domain.com.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=your-new-domain.com/[email protected]" -config <(cat san.cnf <
[req]
prompt=no
distinguished_name = dn_details
[dn_details]
C=US
ST=State
L=City
O=Organization
OU=Unit
CN=your-new-domain.com
subjectAltName=DNS:your-new-domain.com,DNS:*.your-new-domain.com
EOF
)
You can also use the -sha256 option to enable SHA256 signing instead of the old SHA1.
Here's a list of the common subject entries you'll need:
- C - Country
- ST - State
- L - City
- O - Organization
- OU - Organization Unit
- CN - Common Name (eg: the main domain the certificate should cover)
- emailAddress - main administrative point of contact for the certificate
Subject Alternative Name
The Subject Alternative Name (SAN) extension allows various literal values to be included in the configuration file, such as email addresses, URI, DNS domain names, and IP addresses.
You can include a special 'copy' value in the email option to automatically include email addresses contained in the certificate subject name in the extension.
The IP address used in the IP options can be in either IPv4 or IPv6 format.
To generate a certificate with SAN extension using OpenSSL, you need to create a config first, which can include the IP address and other desired values.
For your interest: Alternative Email Addresses
You can add additional IP addresses and hostnames in this section, making it easy to include multiple values.
The subject alternative name extension allows identities to be bound to the subject of the certificate, including Internet electronic mail addresses, DNS names, IP addresses, and Uniform Resource Identifiers (URI).
SAN can be used to issue certificates not only for multiple hostnames, but also for IP addresses.
There is no guarantee that a specific implementation will process a given extension, so it's essential to use certificates responsibly.
You should use the DER and ASN1 options with caution, as it's possible to create totally invalid extensions if they are not used carefully.
If an extension is multi-value and a field value must contain a comma, the long form must be used to avoid misinterpretation.
Certificate Configuration
To generate a certificate with a Subject Alternative Name (SAN) extension, you'll need to create a configuration file. This is done by creating a text file with a specific format, such as san.cnf.
In this file, you'll specify the IP address and optionally additional IP addresses and hostnames. This is where the magic happens, and the certificate is configured with the desired SAN extension.
The configuration file is then passed to OpenSSL, which generates a certificate with a private key.
Broaden your view: Openssl San
Create CSRF Configuration File

To create a CSRF configuration file, you'll need to create a configuration file that will be used to generate the CSR. This file is typically named synology-1512.cnf and can be created using the text editor of your choice.
The name of the configuration file is specified as synology-1512.cnf, which is a crucial detail to note.
This file is a crucial step in the process of generating a CSR, and its name is directly referenced in the example provided.
The configuration file is used to generate the CSR, and it's essential to have it ready before proceeding with the next steps.
Curious to learn more? Check out: Openssl to Create Certificate
Issuer Name
The issuer alternative name option is a convenient feature that supports all the literal options of subject alternative name.
You can use it to specify alternative names for the issuer, such as URLs or DNS names.
The issuer alternative name option does not support the email:copy option because it wouldn't make sense in this context.
However, it does support an additional issuer:copy option that will copy all the subject alternative name values from the issuer certificate, if possible.
This can be a huge time-saver if you need to duplicate a lot of information from the issuer certificate.
Readers also liked: Html Email Subject
OpenSSl CSR
To generate a Certificate Signing Request (CSR) with OpenSSL, you need to use a specific syntax that includes the subjectAltName field. This field allows you to specify multiple hostnames or IP addresses that the certificate should cover.
Here's an example of how to generate a CSR with multiple hostnames: openssl req -new -newkey rsa:2048 -keyout mydomain.key -out mydomain.csr -subj "/C=US/ST=State/L=Locality/O=Organization/CN=mydomain.com/[email protected]" -config <(cat /path/to/openssl.cnf <(echo "[req]" <
distinguished_name = dn_details
req_extensions = v3_req
EOF
)) -extensions v3_req -reqexts v3_req -config /path/to/openssl.cnf
You can add as many DNS.n entries under the subjectAltName field as you want, separated by commas. For example, to cover both www.example.com and example.com, you would add DNS.1 = example.com and DNS.2 = www.example.com.
Here's a list of the common Subject entries you'll need to specify:
- C — Country
- ST — State
- L — City
- O — Organization
- OU — Organization Unit
- CN — Common Name (eg: the main domain the certificate should cover)
- emailAddress — main administrative point of contact for the certificate
Make sure to use the -sha256 option to enable SHA256 signing instead of the old SHA1 algorithm, which is now deprecated.
Featured Images: pexels.com


