How to generate SSL SAN Certificate CSR using OpenSSL

In this article, we will generate SAN certificates CSR using the OpenSSL utility. SAN stands for “Subject Alternative Names” and this certificate has multiple CN (Common Names) within a single Certificate.

how-to-generate-ssl-san-certificate-csr-using-openssl

SAN Certificate helps us to have a common certificate for multiple CN. Thus you can use it for more than one web server.

You may include DNS entries as well as IP Addresses in the certificate to avoid certificate warning messages in the latest web browsers.

You may refer to the Microsoft Bing certificate, it is a SAN Certificate and includes multiple Common Names.

How to generate CSR with SAN

You need a server where the OpenSSL is installed. Login to the server, and just follow the below procedure to generate the SAN Certificate.

1. Navigate to /tmp directory

[root@linux]# cd /tmp

2. Create san.cnf file using touch

[root@linux tmp]# touch san.cnf

3. Edit the file using vi or nano editor

[root@linux tmp]# nano san.cnf

Now, edit the file as per your requirement.

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt=no
[ req_distinguished_name ]
countryName = Country Name (2-letter code, i.e, IN)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = iptrainer.net
DNS.2 = iptrainer.com
DNS.3 = iptrainer.info
IP.1 = 198.54.116.242
IP.2 = 1.1.1.1

You may have noticed, we have used DNS and IP in the alt_names field. You can edit this field as per your requirement.

Now, you need to run the below command to generate the CSR.

[root@linux tmp]# openssl req -out server.iptrainer.csr -newkey rsa:2048 -nodes -keyout server.iptrainer.key -config san.cnf

Once you executed this command, you will get the below output in CLI:

Generating a 2048 bit RSA private key
…………………………….+++
……………………+++
writing new private key to ‘server.iptrainer.key’
-----

The above command will generate the server.iptrainer.csr and server.iptrainer.key in the current working directory, i.e., /tmp. You need to provide server.iptrainer.csr file to the Certificate signer Authority so they can sign it and provide it back to you.

Verify the content of CSR using OpenSSL

It is also important to verify the content of the CSR before providing it to CA (Certificate Authority). You may execute the below command to verify the content of a CSR:

[root@linux tmp]# openssl req -text -noout -verify -in server.iptrainer.csr

or

[root@linux tmp]# openssl req -text -noout -verify -in server.iptrainer.csr | egrep ‘DNS|IP’

You will get all of the DNS and IP Addresses you have configured in the SAN Certificate CSR

verify OK
DNS:iptrainer.net, DNS:iptrainer.com, DNS:iptrainer.info, IP Address:198.54.116.242, IP Address:1.1.1.1

That’s it! We have successfully generated the SAN Certificate CSR using OpenSSL. You can install the certificate once you receive the Certificate from the CA (Certificate Authority).

Related Articles

Summary

SAN certificate has multiple Common Name, so it is easy to use with your different Web Servers. Even, you can define the IP addresses in the SAN Certificate and browse your web server without getting a certificate warning page in the latest web browsers. OpenSSL is an open-source utility, that helps us to generate SSL certificates.

Hope you like this article. In case you like this article, request you to please share it on different platforms! In case you get into error, just comment in the comment box!

Leave a Reply

Your email address will not be published. Required fields are marked *