How to create an OpenSSL Self-Signed Certificate using SAN?

ssl command-line https openssl ssl-certificate

12,177

Nevermind, figured out myself.

OpenSSL CLI allows -subj flag to set up information about the Certificate Authority (CA), but adding the Subject Alternative Names (SAN) cannot be done using the command line. So I had to resort to call -config followed by the file I want to load as simple configuration. For creating Self-Signed Certificates, this should suffice, but not for production:

# ./config/tiny_openssl.conf    
[CA_default]
copy_extensions = copy

[req]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_ca

[req_distinguished_name]
C = US
ST = Washington
L = Seattle
O = My Company
OU = IT Department
emailAddress = [email protected]
CN = mycompany.com

[v3_ca]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names

[alternate_names]
DNS.1 = localhost
DNS.2 = *.localhost
DNS.3 = app.localhost
# ...

The [alternate_names] values must match with the url of the site (or sites) served under SSL by the generated certificate. Something like localhost or app.localhost can work. Then, we fire OpenSSL using this config.

$ openssl req -x509 -newkey rsa:4096 -sha256 -utf8 -days 365 -nodes \
    -config ./config/tiny_openssl.conf \
    -keyout ./certificates/private.key \
    -out ./certificates/ssl/certificate.crt

Added this .crt file in Windows 10 as a Trusted Root Certificate Authorities, restarted Chrome and the Web Server, and voilá.

If you are worried for performance in the HTTP transaction, you can change the rsa to 2048 bits.

This may work only for internal testing between a server and a browser. If you need a more complete and reliable solution with 100% valid SSL Certificates, you should make a CA, a CRS and then sign the CRS with that CA, that will come out a a valid self-signed certificate:

https://stackoverflow.com/a/21494483/647490

12,177

DarkGhostHunter

Freelance Web Designer & Web Developer

Updated on June 04, 2022

Comments

DarkGhostHunter almost 2 years

As of latest Chrome 60+, if there is no SAN, it throws ERROR on HTTPS pages. OpenSSL command line doesn't add these extension.
kontur over 6 years

Thanks, this worked :) On Mac generate the .crt file like above, link in your https ssl config, restart you Apache. Then also double click the .crt file to "Add to Keychain", then double click the installed certificate and expand the "Trust" section and select "Always trust", restart chrome, and "voilá"
Richard Kiefer over 4 years

Here some of my lessons learned: if you got only one domain, you can use the syntax subjectAltName = DNS:your.domain. You can also also attach the [ v3_ca ] section to a copy of your openssl.cnf file; multiple section instances will then be merged. In answers at other places, the parameters -extensions ... -extfile ... are suggested as an alternative. However, this only works for openssl ca, but openssl req does not know -extfile. Thanks @DarkGhostHunter, I got it to work to self-sign my certificates on MacOS and use them in Chrome browser via the system cert store now.