How to Generate a CSR (Certificate Signing Request)
Prerequisites
Before you begin, make sure you have OpenSSL installed on your system. You can check if OpenSSL is installed by running the following command:
openssl version
If OpenSSL is not installed, you can install it using your system's package manager.
- Windows
- macOS
- Linux
Download the OpenSSL installer from the
OpenSSL website
.
Run the installer and follow the prompts to install OpenSSL on your system. You can choose the default options, or customize the installation as needed.
Once the installation is complete, you can use the OpenSSL command-line tools in the "bin" directory of the installation directory.
- Open a terminal window.
Install Homebrew package manager by running the following command:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Once Homebrew is installed, run the following command to install OpenSSL:
brew install openssl
After installation, you can access OpenSSL command-line tools by running the following command:
oropenssl
/usr/local/opt/openssl/bin/openssl
Ubuntu or Debian
- Open a terminal window.
Run the following command to install OpenSSL:
sudo apt-get install openssl
CentOS or Fedora
- Open a terminal window.
Run the following command to install OpenSSL:
sudo yum install openssl
Arch Linux
- Open a terminal window.
Run the following command to install OpenSSL:
sudo pacman -S openssl
After installation, you can access OpenSSL command-line tools by running the following command:
openssl
That's it! You should now have OpenSSL installed on your system.
Method 1: Using a configuration file
Create a configuration file with the SANs you want to include in the CSR. For example, let's create a file called san.cnf with the following contents:
[req]
req_extensions = v3_req
[v3_req]
subjectAltName = DNS:example.com, DNS:*.example.com
This configuration file specifies that the CSR should include the SANs example.com
and *.example.com
.
Generate the CSR using the openssl req command, specifying the configuration file with the -config
option. For example:
openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -config san.cnf
This command generates a CSR for example.com with the SANs example.com and *.example.com.
Method 2: Using command-line options
Generate the CSR using the openssl req command, specifying the SANs using the -addext option. For example:
openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -addext "subjectAltName = DNS:example.com, DNS:*.example.com"
This command generates a CSR for example.com with the SANs example.com
and *.example.com
.
Note that the -addext
option was added in OpenSSL version 1.1.1. If you're using an older version of OpenSSL, you may need to use a different option such as -config
to specify the SANs.
Method 3: Using a combination of configuration file and command-line options
Create a configuration file with the SANs you want to include in the CSR. For example, let's create a file called san.cnf with the following contents:
[req]
req_extensions = v3_req
[v3_req]
subjectAltName = DNS:example.com, DNS:*.example.com
This configuration file specifies that the CSR should include the SANs example.com
and *.example.com
.
Generate the CSR using the openssl req command, specifying the configuration file with the -config
option and adding additional SANs using the -addext
option. For example:
openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -config san.cnf -addext "subjectAltName = DNS:foo.example.com, IP:192.0.2.1"
This command generates a CSR for example.com with the SANs example.com, *.example.com
, foo.example.com
, and 192.0.2.1
. The first two SANs are specified in the san.cnf
file, and the last two are added using the -addext
option.
Method 4: Using OpenSSL configuration file
Edit OpenSSL configuration file /etc/pki/tls/openssl.cnf
on your server. Under the [v3_ca]
section, add the following line:
subjectAltName = DNS:example.com, DNS:*.example.com
This configuration specifies that the certificate should include the SANs example.com
and *.example.com
.
Generate the CSR using the openssl req
command, specifying the -config
option and -new
option, like below:
openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -config /etc/pki/tls/openssl.cnf
This command generates a CSR for example.com
with the SANs example.com and *.example.com
.
In this guide, I have covered four different methods to generate a CSR with SANs using OpenSSL. Choose the method that works best for your use case, and ensure that you test your configuration before deploying it in a production environment.