Generating a CSR with SAN at the command line

Lately, I’ve explored creating my own CSRs for use with Let’s Encrypt, so I can control the common name and subject names. I’m neurotic enough that I can’t bear to let Let’s Encrypt decide.

Including additional domains, a technique known as Subject Alternatives Names or subjectAltName (SAN), requires a configuration file to pass the relevant arguments to OpenSSL.

[ req ]
default_bits = 4096
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[ dn ]
CN = example.com
emailAddress = ssl@example.com
O = Example Company
OU = Example Unit
L = City
ST = State
C = US

[ req_ext ]
subjectAltName = DNS: www.example.com, DNS: mail.example.com, DNS: files.example.com

Fill in the above with relevant details and save it as example.com.conf. Then, run OpenSSL using this configuration file:

openssl req -new -config example.com.conf -keyout example.com.key -out example.com.csr

Confirm the CSR using this command:

openssl req -text -noout -verify -in example.com.csr

Aside

The preceding is contingent on your OpenSSL configuration enabling the SAN extensions (v3_req) for its req commands, in addition to the x509 commands.

In /etc/ssl/openssl.cnf, you may need to uncomment this line:

# req_extensions = v3_req # The extensions to add to a certificate request

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Learn More)