How to generate a SAN CSR from the command line

Posted in Linux/Unix/BSD -

SAN Certificates (Subject Alternative Names Certificates) allow you to have multiple domain names on a secure single certificate, which means you can serve up multiple secured domains on a single IP address without using SNI (Server Name Indication). This post shows how to generate the CSR (Certificate Signing Request) for a SAN Certificate.

The openssl command to generate the SAN certificate

I found plenty of tutorials about how to generate SAN certificates, but they were all overly complicated and some required creating a copy of the /etc/ssl/openssl.cnf, which then made it difficult/not possible to make some of the optional inputs optional. All I wanted was a single command that I could use on the command line to generate the CSR file.

After some messing around, I managed to come up with this:

openssl req -new -newkey rsa:2048 -nodes -keyout filename.key -out filename.csr -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\,"))

Replace "filename.key" & "filename.csr" with the actual filenames you want to use for the key and CSR and replace & with the additional domain names you want on the certificate.

If you only need one additional domain, then remove the , part, and if you need more than two additional domains, add additional ",DNS:domain" parts to the end.

You do not need to specify the primary domain name for the certificate with this command; you'll specify that in the normal CSR creation dialog when it asks for the common name. After hitting <enter> you'll get the normal CSR generation dialog.

The command above worked for me on Debian 7 and Debian 8.

Related posts: