How to Add SubjectAltName When Generating Self-Signed SSL Certificates with OpenSSL CLI


2 views

When working with SSL/TLS certificates, modern browsers and applications often require Subject Alternative Names (SANs) in addition to the Common Name (CN). While the CN field is still used for backward compatibility, SANs have become the standard way to specify valid domain names for a certificate.

The typical command to generate a self-signed certificate looks like this:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -subj '/CN=example.com'

However, this doesn't include any SANs, which can cause browser warnings for modern applications.

To include SANs, you'll need to create a configuration file or use a special command-line approach. Here's the most reliable method:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 \
  -subj '/CN=example.com' \
  -addext 'subjectAltName=DNS:example.com,DNS:www.example.com,IP:192.168.1.1'

For more complex scenarios, using a config file gives you better control:

1. First, create a config file (san.cnf):

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
CN = example.com

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
IP.1 = 192.168.1.1

2. Then generate the certificate:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -config san.cnf

After generation, verify the SANs are included correctly:

openssl x509 -in cert.pem -text -noout | grep -A 1 "Subject Alternative Name"

- Older OpenSSL versions: If you're using OpenSSL < 1.1.1, the -addext option won't work. You must use the config file method. - Multiple domains: Remember to include all variations (with/without www, subdomains) that need to be valid. - IP addresses: For local development, include both 'localhost' and '127.0.0.1'. For development environments, you might want a wildcard certificate: 

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 \
  -subj '/CN=*.example.com' \
  -addext 'subjectAltName=DNS:*.example.com,DNS:example.com'

When creating self-signed certificates using OpenSSL, developers often need to specify Subject Alternative Names (SANs) for modern browser compatibility. The standard openssl req command doesn't directly expose SAN configuration through command-line parameters.

The most reliable approach involves creating a temporary OpenSSL configuration file:

cat > ssl.cnf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
CN = example.com

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = dev.example.com
IP.1 = 192.168.1.1
EOF

Execute this command to generate both key and certificate with SANs:

openssl req -x509 -newkey rsa:2048 \
  -keyout key.pem -out cert.pem \
  -days 365 -nodes -config ssl.cnf \
  -extensions v3_req

Check the generated certificate contains the SANs:

openssl x509 -in cert.pem -noout -text | grep -A 1 "Subject Alternative Name"

For quick testing without config files (OpenSSL 1.1.1+):

openssl req -x509 -newkey rsa:2048 \
  -subj "/CN=example.com" \
  -addext "subjectAltName = DNS:example.com,DNS:www.example.com,IP:127.0.0.1" \
  -keyout key.pem -out cert.pem -days 365 -nodes
  • Chrome requires SANs since version 58
  • Wildcard domains should be specified explicitly in SANs
  • For production, consider using certificates from trusted CAs