Specify Subject Alternative Name when generating a self signed certificate
Solution 1
Is there a way to get a .crt and .key file with the subject alternative name set?
Yes, but you cannot do it from the command line. You have to use a CONF file.
For setting the SAN via a CONF file, see How do you sign Certificate Signing Request with your Certification Authority and How to create a self-signed certificate with openssl?. Both include the SAN in the procedures.
Solution 2
As per @vog's answer:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout example.key -out example.crt -subj "/CN=example.com" \
-addext "subjectAltName=DNS:example.com,DNS:www.example.net,IP:10.0.0.1"
(note that this is only for OpenSSL >= 1.1.1).
Related videos on Youtube
09 : 55
15 : 24
06 : 33
10 : 07
14 : 53
24 : 45
12 : 03
Hamzeh Alsalhi
Updated on October 27, 2022Comments
-
Hamzeh Alsalhi over 1 year
Is there a way to get a .crt and .key file with the subject alternative name set? I am configuring a proxy with an openssl .crt and .key generated by this command
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout proxy.key -out proxy.crtI then cat the .key and .crt to get a .pem and use that on the client side. This cert works fine for securing the https connection but I get a warning that the Subject Alternative Name is not set in the certificate. In another client I use the warning is actually an error that terminates the connection.
The solution here https://security.stackexchange.com/a/91556 gives me a .csr which I rename to become the .crt I need, and when I use this with the client the https connection fails on incorrect ssl certificate.
-
Pavol Travnik about 3 yearsunknown option -addext LibreSSL 2.8.3
-
redbeam_ about 3 years@PavolTravnik did you read the note (in the parentheses)?
-
Pavol Travnik about 3 yearswell it is not a solution for debian nor mac natively because of openssl version - solution probably for a special setup only
-
redbeam_ about 3 years@PavolTravnik Well, if you’d read the linked answer (from @vog), you would find a command that works on older versions. This question is not tagged with “Debian” nor “macOS”, so I really don’t see why you had to downvote my answer. I even specifically noted that it doesn’t work on older versions and provided a link to my source. Please reconsider.
-
Reishin over 2 yearsworks perfectly with pure OpenSSL on Ubuntu 21.04! Why use Libre something, when everywhere tagged exactly openssl ? -
Reishin over 2 years@PavolTravnik it's you who use some custom config, works perfectly on ubuntu, centos, fedora out of box
-
EugeneRomero over 2 yearsThank you for adding an example with multiple DNS entries, it was not so simple to find the correct syntax. Upvoted.
-
MUY Belgium about 2 yearsWorked on RHEL8
