How to Generate a CSR (Certificate Signing Request)
Prerequisites
Before you begin, make sure you have OpenSSL installed on your system. You can check if OpenSSL is installed by running the following command:
openssl version
If OpenSSL is not installed, you can install it using your system's package manager.
- Windows
- macOS
- Linux
- Download the OpenSSL installer from the OpenSSL website.
- Run the installer and follow the prompts to install OpenSSL on your system. You can choose the default options, or customize the installation as needed.
- Once the installation is complete, you can use the OpenSSL command-line tools in the"bin" directory of the installation directory.
- Open a terminal window.
- Install Homebrew package manager by running the following command:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
- Once Homebrew is installed, run the following command to install OpenSSL:
brew install openssl
- After installation, you can access OpenSSL command-line tools by running the following command:or
openssl
/usr/local/opt/openssl/bin/openssl
Ubuntu or Debian
- Open a terminal window.
- Run the following command to install OpenSSL:
sudo apt-get install openssl
CentOS or Fedora
- Open a terminal window.
- Run the following command to install OpenSSL:
sudo yum install openssl
Arch Linux
- Open a terminal window.
- Run the following command to install OpenSSL:
sudo pacman -S openssl
- After installation, you can access OpenSSL command-line tools by running the following command:
openssl
That's it! You should now have OpenSSL installed on your system.
Method 1: Using a configuration file
Create a configuration file with the SANs you want to include in the CSR. For example, let's create a file called san.cnf with the following contents:
[req]
req_extensions = v3_req
[v3_req]
subjectAltName = DNS:example.com, DNS:*.example.com
This configuration file specifies that the CSR should include the SANs example.com
and *.example.com
.
Generate the CSR using the openssl req command, specifying the configuration file with the -config
option. For example:
openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -config san.cnf
This command generates a CSR for example.com with the SANs example.com and *.example.com.
Method 2: Using command-line options
Generate the CSR using the openssl req command, specifying the SANs using the -addext option. For example:
openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -addext "subjectAltName = DNS:example.com, DNS:*.example.com"
This command generates a CSR for example.com with the SANs example.com
and *.example.com
.
Note that the -addext
option was added in OpenSSL version 1.1.1. If you're using an older version of OpenSSL, you may need to use a different option such as -config
to specify the SANs.
Method 3: Using a combination of configuration file and command-line options
Create a configuration file with the SANs you want to include in the CSR. For example, let's create a file called san.cnf with the following contents:
[req]
req_extensions = v3_req
[v3_req]
subjectAltName = DNS:example.com, DNS:*.example.com
This configuration file specifies that the CSR should include the SANs example.com
and *.example.com
.
Generate the CSR using the openssl req command, specifying the configuration file with the -config
option and adding additional SANs using the -addext
option. For example:
openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -config san.cnf -addext "subjectAltName = DNS:foo.example.com, IP:192.0.2.1"
This command generates a CSR for example.com with the SANs example.com, *.example.com
, foo.example.com
, and 192.0.2.1
. The first two SANs are specified in the san.cnf
file, and the last two are added using the -addext
option.
Method 4: Using OpenSSL configuration file
Edit OpenSSL configuration file /etc/pki/tls/openssl.cnf
on your server. Under the [v3_ca]
section, add the following line:
subjectAltName = DNS:example.com, DNS:*.example.com
This configuration specifies that the certificate should include the SANs example.com
and *.example.com
.
Generate the CSR using the openssl req
command, specifying the -config
option and -new
option, like below:
openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -config /etc/pki/tls/openssl.cnf
This command generates a CSR for example.com
with the SANs example.com and *.example.com
.
In this guide, I have covered four different methods to generate a CSR with SANs using OpenSSL. Choose the method that works best for your use case, and ensure that you test your configuration before deploying it in a production environment.