Generate a private key:
$ openssl genrsa -out san.key 2048 && chmod 0600 san.key
Create a configuration file. Change alt_names appropriately.
$ cat << EOL > san.conf
[ req ]
default_bits = 2048
default_keyfile = san.key #name of the keyfile
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = West Midlands
localityName = Locality Name (eg, city)
localityName_default = Birmingham
organizationName = Organization Name (eg, company)
organizationName_default = Example
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com
DNS.2 = www.example.net
DNS.3 = www.example.org
EOL
Generate a CSR:
$ openssl req -new -nodes -sha256 -config san.conf -out san.csr
Verify:
$ openssl req -in san.csr -noout -text
#Generate the cert 1 year
openssl x509 -req -sha256 \
-days 365 \
-in san.csr \
-signkey san.key \
-out san.crt >/dev/null 2>&1
That’s fine if you want a self-signed certificate.
Simple and Concise. Thank you!