Generate/sign CSR with subject Alternative Name (SAN) – CentOS7/RHEL7

by | Dec 28, 2018 | RHEL / CentOS

This article will guide you through generating and signing a CSR and at the same time including SubjectAltName within the request. There is a requirement within all latest browsers that the website cert needs to have a SAN otherwise it complains of error with the certificate.

Let’s start with generating a certificate request. Run this one liner command which includes SubjectAltName

On the Host generating CSR request

# openssl req -new -nodes -sha256 -out testwps.off.local.csr -newkey rsa:2048 -keyout testwps.off.local.key -extensions v3_req -subj "/C=UK/ST=BRK/O=Personal/CN=testwps.off.local" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:testwps.off.local,DNS:testwps"))

Key:

testwps.off.local = Change it to required Hostname.

/subjectAltName DNS: = Give the required Alternative Names of the host/website.

-subj

  • /C = Change it to required Country
  • /ST = Change it to required State
  • /O = Change it required Organisation
  • /CN = Change it to required CommonName or Hostname

Verify that the generated “.csr” includes AltName.

# openssl req -text -noout -verify -in testwps.off.local.csr | grep -A2 Alternative

Output:

[root@testwps ~]# openssl req -text -noout -verify -in testwps.off.local.csr | grep -A2 Alternative
verify OK
X509v3 Subject Alternative Name:
DNS:testwps.off.local, DNS:testwps
Signature Algorithm: sha256WithRSAEncryption

Now copy over the CSR to the CA server using “scp” and then sign the request. Remember to include the SAN within the one liner command.

On CA Server

*** Note: Make sure to uncomment "req_extensions = v3_req" in "openssl.cnf" ***

# openssl x509 -req -days 730 -sha256 -extfile <(printf "subjectAltName=DNS:testwps.off.local,DNS:testwps") -in testwps.off.local.csr -CA certs/ca.crt -CAkey private/ca.key -CAcreateserial -out testwps.off.local.crt

Output:

[ca:/etc/pki/CA]# openssl x509 -req -days 730 -sha256 -extfile <(printf "subjectAltName=DNS:testwps.off.local,DNS:testwps") -in testwps.off.local.csr -CA certs/ca.crt -CAkey private/ca.key -CAcreateserial -out testwps.off.local.crt
Signature ok
subject=/C=UK/ST=BRK/O=Personal/CN=testwps.off.local
Getting CA Private Key

Verify that the generated “.crt” includes AltName.

# openssl x509 -in testwps.off.local.crt -text -noout | grep -A2 Alternative

Output:

[ca:/etc/pki/CA]# openssl x509 -in testwps.off.local.crt -text -noout | grep -A2 Alternative
X509v3 Subject Alternative Name:
DNS:testwps.off.local, DNS:testwps
Signature Algorithm: sha256WithRSAEncryption

Please do let us know if you come across any issues and we will try to help resolve as soon as we can.

Related Articles….