This article will guide you through generating and signing a CSR and at the same time including SubjectAltName within the request. There is a requirement within all latest browsers that the website cert needs to have a SAN otherwise it complains of error with the certificate.
Let’s start with generating a certificate request. Run this one liner command which includes SubjectAltName
On the Host generating CSR request
# openssl req -new -nodes -sha256 -out testwps.off.local.csr -newkey rsa:2048 -keyout testwps.off.local.key -extensions v3_req -subj "/C=UK/ST=BRK/O=Personal/CN=testwps.off.local" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:testwps.off.local,DNS:testwps"))Key:
testwps.off.local = Change it to required Hostname.
/subjectAltName DNS: = Give the required Alternative Names of the host/website.
-subj
- /C =
Change it to required Country - /ST =
Change it to required State - /O =
Change it required Organisation - /CN =
Change it to required CommonName or Hostname
Verify that the generated “.csr” includes AltName.
# openssl req -text -noout -verify -in testwps.off.local.csr | grep -A2 AlternativeOutput:
[root@testwps ~]# openssl req -text -noout -verify -in testwps.off.local.csr | grep -A2 Alternative
verify OK
X509v3 Subject Alternative Name:
DNS:testwps.off.local, DNS:testwps
Signature Algorithm: sha256WithRSAEncryptionNow copy over the CSR to the CA server using “scp” and then sign the request. Remember to include the SAN within the one liner command.
On CA Server
*** Note: Make sure to uncomment "req_extensions = v3_req" in "openssl.cnf" ***
# openssl x509 -req -days 730 -sha256 -extfile <(printf "subjectAltName=DNS:testwps.off.local,DNS:testwps") -in testwps.off.local.csr -CA certs/ca.crt -CAkey private/ca.key -CAcreateserial -out testwps.off.local.crtOutput:
[ca:/etc/pki/CA]# openssl x509 -req -days 730 -sha256 -extfile <(printf "subjectAltName=DNS:testwps.off.local,DNS:testwps") -in testwps.off.local.csr -CA certs/ca.crt -CAkey private/ca.key -CAcreateserial -out testwps.off.local.crt
Signature ok
subject=/C=UK/ST=BRK/O=Personal/CN=testwps.off.local
Getting CA Private KeyVerify that the generated “.crt” includes AltName.
# openssl x509 -in testwps.off.local.crt -text -noout | grep -A2 AlternativeOutput:
[ca:/etc/pki/CA]# openssl x509 -in testwps.off.local.crt -text -noout | grep -A2 Alternative
X509v3 Subject Alternative Name:
DNS:testwps.off.local, DNS:testwps
Signature Algorithm: sha256WithRSAEncryptionPlease do let us know if you come across any issues and we will try to help resolve as soon as we can.