How To Generate A CSR For A Multi-Domain SSL Certificate Using OpenSSL?

In general, SSL certificates are used to validate a single domain. However, some practical requirements force you to think about securing multiple domains with a single certificate. If you are a beginner, you are searching for the solution to this problem. Then you are at the right place. The short answer to this is, yes, you can secure multiple domains with a single certificate. To acquire an SSL certificate that secures multiple domains, you should generate a CSR (Certificate Signing Request) for your multi-domain certificate to submit to the CA to sign. After you read this post, you will be in a position to answer how to generate a CSR for a multi-domain SSL certificate using OpenSSL.

Before you go ahead, we encourage you to learn about the different types of certificates if you have time.

What Is A Multi-Domain/SAN Certificate?

Multi-domain certificates are certificates that can be used to validate more than one domain name. They are also known by two other names. 1. UCC, which stands for “unified communication certificate,” and 2. SAN (which stands for “subject alternative name”) certificates.

Well, suppose you ever created a Certificate Signing Request for a single domain certificate. In that case, you might be aware of the ‘common name’ field, which contains a Fully Qualified Domain Name (FQDN) for which the certificate is created. Well, if you think you will have multiple common names in a single SSL certificate, you are wrong. You will have only one common name, which is the primary domain of the certificate. In addition to that, you will have multiple Subject Alternative Names (SAN) or Alt Name or DNS Name in the certificate. Each SAN will serve as a common name. That’s why it is also called SAN certificate.

See also  What Is Command Injection Vulnerability? And How To Prevent It?

Let’s see an example of a multi-domain or SAN certificate:

If you create a certificate with this information, the certificate will secure all four domains. The same certificate can be used for any of the four domains.

CN (Common Name) =
DNS 1 =
DNS 2 =
DNS 3 =

What Is The Maximum Number Of SAN Are Allowed In A SSL Certificate?

Different Certificate Authorities have specified different maximum limits. Windows Certificate Authority has set the limit up to 4 Kb. However, RFC5280 Section 4.2.1. doesn’t specify the maximum limit. the range is defined as 1…MAX. The value of MAX is not specified.

How To Generate A CSR for Multi-Domain SSL Certificates?

Let’s see how to generate a CSR for the certificate, which can be used to secure multiple domains. Let learn how to add multiple SAN or DNS, or Alt Names to the CSR using OpenSSL.

Time needed: 15 minutes.

How to add multiple SAN or DNS, or Alt Names to the CSR using OpenSSL?

  1. Create a copy of OpenSSL config fileCreate a copy of the existing config file. The existing OpenSSL config file will be at /etc/ssl/openssl.cnf or /usr/lib/ssl/openssl.cnf.

    Use the cp command to take a copy of the config file:

    # cp /etc/ssl/openssl.cnf /home/arunkl/multi-domain-site/

    Create an copy of OpenSSL config file
  2. Edit the config file and enable [ v3_req ]Use your choice of editors to edit the config file. We use nano in this demonstration.

    # nano /home/arunkl/multi-domain-site/openssl.cnf

    Look for the [ req ] section. Uncomment the following line: If you don’t see the line, add it under the [ req ]. This will direct OpenSSL to read the [ v3_req ] section.

    req_extensions = v3_req

    Edit the OpenSSL config file
  3. Enable SubjectAltName under [ v3_req ] sectionScroll down until you see [ v3_req ] and add the following line: This will direct the config file to read alt names.

    subjectAltName = @alt_names

    Enable SubjectAltName
  4. Add Alt Name or SAN names in the config fileCreate a new section [ alt_names ] at the bottom of the config file. Add SAN or DNS or Alt names like this.

    [ alt_names ]
    DNS.1 =
    DNS.2 =
    DNS.3 = securitymaster .local
    DNS.4 = mydomain.local

    Note: Do not add the domain name used in the common name field again.

    Now you are done with the creation of the config file. Hit Ctrl + o to save the config file and Ctrl + x to exit.

    Add Alt Name or SAN names to the CSR
  5. Generate the private keyRun this command to create a private key for your certificate. Do not use a passphrase as Nginx will have to use this private key.

    # openssl genrsa -out 2048

    Create private key using OpenSSL
  6. Generate the CSR for multi-domain or SAN certificateCreate the CSR importing the private key and the config file created in the previous sections.

    # openssl req -new -key -out -config

    Generate the CSR for multi-domain or SAN certificate
  7. Test the CSRTest the CSR with the following command:

    # openssl req -in -noout -text

    The CSR is ready to submit to the Certificate Authority.

    How to decode the CSR using openssl
See also  Step-by-Step Procedure to Set Up TryCloudflare to Access Your Local Application Over the Internet

See Also What Is A Buffer Overflow Attack And How To Prevent It?

This is how you can generate a CSR for a multi-domain SSL certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *