This is how to generate a certificate request the right way, in 2017. When this changes (and it will), this document will be amended.
We first generate a 4096 bits key for the domain.
openssl genrsa -out example.com.key 4096
Then create the CSR, using previously create key, with SHA256 (SHA512 is also possible):
openssl req -out example.com-csr.csr -key example.com.key -new -sha256
Done.
- Find and copy
openssl.cnfas the domain, we will useexample.com.cnfin this document. - Edit
example.com.cnfand uncomment (or add)req_extensions = v3_req. It will be located, or will need to be added under the[ req ]section. - Find the
[ v3_req ]section, and addsubjectAltName = @alt_names. The snippet of the section will look like this:
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
- Add a new section called
[ alt_names ]towards the end of the file, and add the list of all domains you want the certificate to contain, like so:
[ alt_names ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = somethingelse.example.com
-
Using the same key we generated before, run the following, to generate the multidomain CSR:
openssl req -out example-csr.com.csr -key example.com.key -new -sha256 -config example.com.cnf -
You can verify if the CSR has the right information by running:
openssl req -in example.com-csr.csr -noout -textand looking for
DNS:example.com, DNS:www.example.com, DNS:somethingelse.example.comin it.