Generating a CSR with SAN at the command line

Lately, I’ve explored creating my own CSRs for use with Let’s Encrypt, so I can control the common name and subject names. I’m neurotic enough that I can’t bear to let Let’s Encrypt decide.

Including additional domains, a technique known as Subject Alternatives Names or subjectAltName (SAN), requires a configuration file to pass the relevant arguments to OpenSSL.

[ req ]
default_bits = 4096
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[ dn ]
CN =
emailAddress =
O = Example Company
OU = Example Unit
L = City
ST = State
C = US

[ req_ext ]
subjectAltName = DNS:, DNS:, DNS:

Fill in the above with relevant details and save it as Then, run OpenSSL using this configuration file:

openssl req -new -config -keyout -out

Confirm the CSR using this command:

openssl req -text -noout -verify -in


The preceding is contingent on your OpenSSL configuration enabling the SAN extensions (v3_req) for its req commands, in addition to the x509 commands.

In /etc/ssl/openssl.cnf, you may need to uncomment this line:

# req_extensions = v3_req # The extensions to add to a certificate request

Leave a Reply