Skip to main content

How to Generate a CSR (Certificate Signing Request)

Prerequisites

Before you begin, make sure you have OpenSSL installed on your system. You can check if OpenSSL is installed by running the following command:

openssl version

If OpenSSL is not installed, you can install it using your system's package manager.

  1. Download the OpenSSL installer from the

    OpenSSL website

    .

  2. Run the installer and follow the prompts to install OpenSSL on your system. You can choose the default options, or customize the installation as needed.

  3. Once the installation is complete, you can use the OpenSSL command-line tools in the "bin" directory of the installation directory.

That's it! You should now have OpenSSL installed on your system.

Method 1: Using a configuration file

Create a configuration file with the SANs you want to include in the CSR. For example, let's create a file called san.cnf with the following contents:

[req]
req_extensions = v3_req

[v3_req]
subjectAltName = DNS:example.com, DNS:*.example.com

This configuration file specifies that the CSR should include the SANs example.com and *.example.com.

Generate the CSR using the openssl req command, specifying the configuration file with the -config option. For example:

openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -config san.cnf

This command generates a CSR for example.com with the SANs example.com and *.example.com.

Method 2: Using command-line options

Generate the CSR using the openssl req command, specifying the SANs using the -addext option. For example:

openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -addext "subjectAltName = DNS:example.com, DNS:*.example.com"

This command generates a CSR for example.com with the SANs example.com and *.example.com.

info

Note that the -addext option was added in OpenSSL version 1.1.1. If you're using an older version of OpenSSL, you may need to use a different option such as -config to specify the SANs.

Method 3: Using a combination of configuration file and command-line options

Create a configuration file with the SANs you want to include in the CSR. For example, let's create a file called san.cnf with the following contents:

[req]
req_extensions = v3_req

[v3_req]
subjectAltName = DNS:example.com, DNS:*.example.com

This configuration file specifies that the CSR should include the SANs example.com and *.example.com.

Generate the CSR using the openssl req command, specifying the configuration file with the -config option and adding additional SANs using the -addext option. For example:

openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -config san.cnf -addext "subjectAltName = DNS:foo.example.com, IP:192.0.2.1"

This command generates a CSR for example.com with the SANs example.com, *.example.com, foo.example.com, and 192.0.2.1. The first two SANs are specified in the san.cnf file, and the last two are added using the -addext option.

Method 4: Using OpenSSL configuration file

Edit OpenSSL configuration file /etc/pki/tls/openssl.cnf on your server. Under the [v3_ca] section, add the following line:

subjectAltName = DNS:example.com, DNS:*.example.com

This configuration specifies that the certificate should include the SANs example.com and *.example.com.

Generate the CSR using the openssl req command, specifying the -config option and -new option, like below:

openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -config /etc/pki/tls/openssl.cnf

This command generates a CSR for example.com with the SANs example.com and *.example.com.

In this guide, I have covered four different methods to generate a CSR with SANs using OpenSSL. Choose the method that works best for your use case, and ensure that you test your configuration before deploying it in a production environment.