How to Create Self-Signed Certificate With Extensions and Sans Using Openssl

Option 1
Create self-signed certificate with 1 command, including sans.

openssl req -nodes -x509 -sha256 -newkey rsa:4096 \
  -keyout test2.key \
  -out test2.crt \
  -days 1000 \
  -subj "/C=AU/ST=NSW/L=SYD/O=SFDC/OU=mule/CN=andrew.com"  \
  -addext "subjectAltName = DNS:san1.com,DNS:san2.com"

This is the result.

> openssl x509 -in test2.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c4:dd:5b:2f:44:66:52:5d
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=AU, ST=NSW, L=SYD, O=SFDC, OU=mule, CN=andrew.com
        Validity
            Not Before: Feb 24 06:11:50 2023 GMT
            Not After : Nov 20 06:11:50 2025 GMT
        Subject: C=AU, ST=NSW, L=SYD, O=SFDC, OU=mule, CN=andrew.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
  ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:san1.com, DNS:san2.com
    Signature Algorithm: sha256WithRSAEncryption
...

Option 2
Or reference a configuration file to specify the sans, extensions and other values.

1. Create the configuration file (e.g. config.conf)

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = AU
ST = NSW
L = SYD
O = SFDC
OU = mule
CN = andrew.com
[my_ext]
keyUsage = keyEncipherment, digitalSignature
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = san1.com
DNS.2 = san2.com
DNS.3 = san3.com

2. Reference the configuration file in the openssl command.

openssl req -x509 -nodes -days 1000 -newkey rsa:4096 -sha256 -keyout test1.key -out test1.crt -config config.conf -extensions my_ext

3. This is the result. In this one we see the additional extensions "Key Usage: Digital Signature, Key Encipherment".

> openssl x509 -in test1.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a9:0b:be:7d:84:a9:35:ba
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=AU, ST=NSW, L=SYD, O=SFDC, OU=mule, CN=andrew.com
        Validity
            Not Before: Feb 24 06:11:55 2023 GMT
            Not After : Nov 20 06:11:55 2025 GMT
        Subject: C=AU, ST=NSW, L=SYD, O=SFDC, OU=mule, CN=andrew.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:san1.com, DNS:san2.com, DNS:san3.com
    Signature Algorithm: sha256WithRSAEncryption
...

How to Create Self-Signed Certificate With Extensions and Sans Using Openssl

GOAL

General Information

Required Cookies

Functional Cookies

Advertising Cookies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

Cookie List