Open SSL SAN

gistfile1.sh

# Generate Private Key
$ openssl genrsa -out server.key 2048
# Generate CSR
$ openssl req -new -out server.csr -key server.key -config openssl.cnf
# => Fill in info
# Check CSR
$ openssl req -text -noout -in server.csr
# Sign Cert
$ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt -extensions v3_req -extfile openssl.cnf

openssl.cnf.ini

[ req ]
default_bits                = 1024
default_keyfile             = privkey.pem
distinguished_name          = req_distinguished_name
req_extensions              = v3_req
 
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = UK
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Wales
localityName                = Locality Name (eg, city)
localityName_default        = Cardiff
organizationName            = Organization Name (eg, company)
organizationName_default    = Example UK
commonName                  = Common Name (eg, YOUR name)
commonName_default          = one.test.app.example.net
commonName_max              = 64
 
[ v3_req ]
basicConstraints            = CA:FALSE
keyUsage                    = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName              = @alt_names
 
[alt_names]
DNS.1   = two.test.app.example.net
DNS.2   = exampleapp.com

References

• http://wiki.nginx.org/HttpSslModule
• http://apetec.com/support/GenerateSAN-CSR.htm
• http://www.sslshopper.com/article-most-common-openssl-commands.html
• http://langui.sh/2009/02/27/creating-a-subjectaltname-sanucc-csr/

Default openssl.cnf on OS X:

/System/Library/OpenSSL/openssl.cnf

:-) good template to have .