Subject Alternative Name (SAN) cert allows verifying different domains using a single cert. This is an extension to SSL certs.
1. Create config
Create a config file
[ req ] default_bits = 2048 default_keyfile = mydomain.key distinguished_name = req_distinguished_name prompt = no attributes = req_attributes req_extensions = mydomain_ext [ req_distinguished_name ] C = XX ST = Some State L = Some Locality O = Some Organization OU = Some Organizational Unit CN = mydomain.com emailAddress = email@example.com [ req_attributes ] challengePassword = A challenge password [ mydomain_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = mydomain.com DNS.2 = www.mydomain.com DNS.3 = myotherdomain.com DNS.4 = *.myotherdomain.com
2. Create CSR
Create csr and key using this config
openssl req -new -nodes -out mydomain.csr -config mydomain.conf
You can verify your csr info
openssl req -in mydomain.csr -noout -text
There should be a “X509v3 Subject Alternative Name” line.
3. Sign the CSR
Just like in Tutorial #1, you then sign the csr with your CA cert. But this time you should add a line in
Add this line in [ CA_own ] block:
copy_extensions = copy
Then sign it. Configure your webserver to use this cert.
(1) When SAN is specified, common name becomes useless. So make sure to copy common name to alt name field.
(2) If you are creating a self-signed cert rather than a cert request, you should change