Generate/sign CSR with subject Alternative Name (SAN) - CentOS7/RHEL7

This article will guide you through generating and signing a CSR and at the same time including SubjectAltName within the request. There is a requirement within all latest browsers that the website cert needs to have a SAN otherwise it complains of error with the certificate.

Let's start with generating a certificate request. Run this one liner command which includes SubjectAltName

On the Host generating CSR request

# openssl req -new -nodes -sha256 -out testwps.off.local.csr -newkey rsa:2048 -keyout testwps.off.local.key -extensions v3_req -subj "/C=UK/ST=BRK/O=Personal/CN=testwps.off.local" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:testwps.off.local,DNS:testwps"))

Key:

testwps.off.local = Change it to required Hostname.

/subjectAltName DNS: = Give the required Alternative Names of the host/website.

-subj

  • /C = Change it to required Country
  • /ST = Change it to required State
  • /O = Change it required Organisation
  • /CN = Change it to required CommonName or Hostname

Verify that the generated ".csr" includes AltName.

# openssl req -text -noout -verify -in testwps.off.local.csr | grep -A4 Alternative

Output:

[root@testwps ~]# openssl req -text -noout -verify -in testwps.off.local.csr | grep -A2 Alternative
verify OK
X509v3 Subject Alternative Name:
DNS:testwps.off.local, DNS:testwps
Signature Algorithm: sha256WithRSAEncryption

Now copy over the CSR to the CA server using "scp" and then sign the request. Remember to include the SAN within the one liner command.

On CA Server

*** Note: Make sure to uncomment "req_extensions = v3_req" in "openssl.cnf" ***

# openssl x509 -req -days 730 -sha256 -extfile <(printf "subjectAltName=DNS:testwps.off.local,DNS:testwps") -in testwps.off.local.csr -CA certs/ca.crt -CAkey private/ca.key -CAcreateserial -out testwps.off.local.crt

Output:

[ca:/etc/pki/CA]# openssl x509 -req -days 730 -sha256 -extfile <(printf "subjectAltName=DNS:testwps.off.local,DNS:testwps") -in testwps.off.local.csr -CA certs/ca.crt -CAkey private/ca.key -CAcreateserial -out testwps.off.local.crt
Signature ok
subject=/C=UK/ST=BRK/O=Personal/CN=testwps.off.local
Getting CA Private Key

Verify that the generated ".crt" includes AltName.

# openssl x509 -in testwps.off.local.crt -text -noout | grep -A2 Alternative

Output:

[ca:/etc/pki/CA]# openssl x509 -in testwps.off.local.crt -text -noout | grep -A2 Alternative
X509v3 Subject Alternative Name:
DNS:testwps.off.local, DNS:testwps
Signature Algorithm: sha256WithRSAEncryption

Please do let us know if you come across any issues and we will try to help resolve as soon as we can.

Most Read Articles

Add/Detect a new disk in ...

Written By Farooq Mohammed Ahmed on Sunday, 11 January 2015 19:22
Add/Detect a new disk in ...

Upgrade Red Hat Satellite...

Written By Farooq Mohammed Ahmed on Friday, 22 April 2016 18:33
Upgrade Red Hat Satellite...

Cacti Install and Config ...

Written By Farooq Mohammed Ahmed on Monday, 30 November 2015 11:13
Cacti Install and Config ...

Using awk in Alias Comman...

Written By Farooq Mohammed Ahmed on Friday, 19 February 2016 14:22
Using awk in Alias Comman...

Replace SSL Certificates ...

Written By Farooq Mohammed Ahmed on Friday, 16 December 2016 08:05
Replace SSL Certificates ...