OpenSSL: Generating a Subject-Alternative-Names-Certificate

18 September 2015

If you want to setup a ssl-certificate with multiple subdomains(of the same domain), you’ll have to generate a certificate with alternative names. We can achieve this using some parameters in our openssl.cnf…

First we have to copy our default openssl.cnf:

cp /etc/ssl/openssl.cnf /opt/mysworkingdir

Next we have to find and uncomment the following line(if it doesn’t exist, we just add it):

req_extensions = v3_req

Now we can add a new section called “[v3_req]” if it doesn’t exist:


# Extensions to add to a certificate request
subjectAltName = @alt_names
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

Now we just need another section for our alternative names:

DNS.1 =

Finally we can generate a Certificate-request(I assume that we already generated a private-key):

openssl req -new -days 365 -key private_key.pem -out my.csr -config openssl.cnf
[ Sysadmin  openssl  Crypto  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti