Lately, I’ve explored creating my own CSRs for use with Let’s Encrypt, so I can control the common name and subject names. I’m neurotic enough that I can’t bear to let Let’s Encrypt decide.
Including additional domains, a technique known as Subject Alternatives Names or subjectAltName
(SAN), requires a configuration file to pass the relevant arguments to OpenSSL.
[ req ] default_bits = 4096 prompt = no encrypt_key = no default_md = sha256 distinguished_name = dn req_extensions = req_ext [ dn ] CN = example.com emailAddress = ssl@example.com O = Example Company OU = Example Unit L = City ST = State C = US [ req_ext ] subjectAltName = DNS: www.example.com, DNS: mail.example.com, DNS: files.example.com
Fill in the above with relevant details and save it as example.com.conf
. Then, run OpenSSL using this configuration file:
openssl req -new -config example.com.conf -keyout example.com.key -out example.com.csr
Confirm the CSR using this command:
openssl req -text -noout -verify -in example.com.csr
Aside
The preceding is contingent on your OpenSSL configuration enabling the SAN extensions (v3_req
) for its req
commands, in addition to the x509
commands.
In /etc/ssl/openssl.cnf
, you may need to uncomment this line:
# req_extensions = v3_req # The extensions to add to a certificate request