Generate SSL certificate with Subject Alternative Names openssl

We assume that openssl is already installed.

User certificate with a SAN

Create a new file named ext.cnf in the folder where we are going to generate certificates. Write the lines to the file:

subjectAltName=@alt_names

[alt_names]
DNS.1 = your_site.com
DNS.2 = your_site.org

Replace records in alt_names section with your owns.

Now, you need to add a flag to the command, which you use for cert generation:

-extfile ext.cnf

It will turn out something like this:

openssl x509 -req -CA ca_cert -CAkey ca_key -in cert_file -out cert_signed -days 365 -CAcreateserial -passin pass: qwe123 -extfile ext.cnf

The command example is taken from the article about generating SSL certificates.

CA certificate with a SAN

Find the openssl.cnf configuration file:

For Linux it can be:

/usr/lib/ssl/openssl.cnf (primary)
/usr/local/ssl/openssl.cnf

For RHEL Linux it is:

/etc/pki/tls/openssl.cnf

If you can’t find it, use the command:

locate openssl.cnf

It works on both Linux and MacOS.

Let’s make a copy of the file and save it to your home directory:

cat <path_that_you_found>/openssl.cnf > ~/openssl.cnf

We need to open the newly created file ~/openssl.cnf, find the v3_ca section and add the line there:

subjectAltName=@alt_names

In the end of file add new section alt_names:

[alt_names]
DNS.1 = your_site.com
DNS.2 = your_site.org

Replace records in alt_names section with your owns.

Now, you need to add a flag to the command, which you use for CA cert generation:

-config ~/openssl.cnf

It will turn out something like this:

openssl req -new -x509 -keyout ca_key -out ca_cert -config ~/openssl.cnf

The command example is taken from the article about generating SSL certificates.

If you still have any questions, feel free to ask me in the comments under this article, or write me on promark33@gmail.com.

If I saved your day, you can support me :)

Leave a Reply

Your email address will not be published.