create self-signed certificate with san

I explained why google chrome browser does not respect a certificate without Subject Alternative Name in my earlier post. I also showed how to create a self-signed certificate using a single openssl command, but that certificate did not include SAN. In this post I will show how to create a self-signed certificate with SAN, which can be used in your development environment.

Before the openssl command is run, a configuration file about the self-signed certificate should be first created. Take the following configuration file for example:

[req]
prompt = no
default_md = sha256
default_bits = 2048
encrypt_key = no
default_keyfile = tls.key
distinguished_name = dn_section
x509_extensions = x509_ext_section

[dn_section]
C = CN
ST = Shandong
L = Qingdao
O = Nokia
OU = COM Team
CN = deskshell.com

[x509_ext_section]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
subjectAltName = @san_section

[san_section]
DNS.1 = deskshell.com
DNS.2 = www.deskshell.com

The req section specifies parameters for certificate request, for example, digest algorithm, the key size in bits, and so on. The dn_section section specifies the countryName, commonName, localityName, and so on. The x509_ext_section section specifies some extension parameters for x509 certificate. The last section named san_section has the subject alternative names. You can adjust the configuration file according to your specific needs.

After the configuration file has been prepared, next the below command can be run to generate the self-signed certificate with SAN

openssl req -new -x509 -days 365 -out tls.crt -config cert.conf

The certificate will be generated as tls.crt and the private key file will be generated as tls.key in the current working directory.

Note:
The exact explanation about each field in the configuration file is in the man page about req, x509, x509v3_config and so on.