This minimalist post is about creating a private key and a certificate signing request (CSR) for a SAN SSL certificate using OpenSSL. These commands was tested on the Mac OS command line using iTerm 2.
Run the following command for generating the private key :
openssl genrsa -out acme.com.key 2048
Create an OpenSSL config file with the following content and named it acme.com.cnf :
[ req ]
default_bits = 2048
encrypt_key = no
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Ile-de-France
localityName = PARIS LA DEFENSE
organizationName = ACME GROUPE
organizationalUnitName = IS Services
commonName = acme.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = acme.com
DNS.2 = subdomain.acme.com
DNS.3 = another.acme.com
Adapt the content using your domain (commonName attribute) and subdomains (alt_names.DNS.X values).
Run the following command for generating the CSR :
openssl req -new -sha256 -out acme.com.csr -key acme.com.key -config acme.com.cnf
You can verify the generated CSR on the CLI using :
openssl req -in acme.com.csr -noout -text
The content must be like this :
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=FR, ST=Ile-de-France, L=PARIS LA DEFENSE, O=ACME GROUPE, OU=IS Services, CN=acme.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
<content>
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
c9:bf
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:acme.com, DNS:subdomain.acme.com, DNS:another.acme.com
Signature Algorithm: sha256WithRSAEncryption
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
<content>
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
how would we do this with -addext on the commandline?