Generating a SAN Certificate Request

To generate a multi-domain SAN certificate request, follow this procedure:

  1. Log into a suitable UNIX or Linux server
  2. Create a file called openssl.cnf with the following contents:

    default_bits = 2048
    default_keyfile = privkey.pem
    distinguished_name = req_distinguished_name
    req_extensions = req_ext
    
    [ req_distinguished_name ]
    countryName = Country
    countryName_default = US
    stateOrProvinceName = State
    stateOrProvinceName_default = California
    localityName = City
    localityName_default = Santa Cruz
    organizationName = Organization
    organizationName_default = UC Santa Cruz
    commonName = Primary Host Name
    commonName_max = 64
    
    [ req_ext ]
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1 = foo.soe.ucsc.edu
    DNS.2 = bar.soe.ucsc.edu
    DNS.3 = baz.soe.ucsc.edu

    Be sure to change the host names to match the ones you want to generate a request for.
  3. Run the following command:

    openssl req -new -nodes -keyout foo.soe.ucsc.edu.key -out foo.soe.ucsc.edu.csr -config openssl.cnf

    Replace foo.soe.ucsc.edu with the fully-qualified host name of the primary host for this certificate.
  4. You're done! Submit the CSR file to the certificate authority and you're good to go.

Note that if you want to add a new host to the certificate later, you'll have to request a new certificate using this procedure. There is not a way to add a new host to an existing request after it's been issued.