A new version of the CERN-CA-certs package is available in the QA environment.
The new package removes the older certificates of the CERN Certification Authority. Please make sure to test your services and software with the new package.
Full details are available on the SSB entry: OTG0077330.

Skip Navigation Links.

Specifying Subject Alternative Names with OpenSSL

This page explains how to add Subject Alternative Names (SANs) to a host certificate request using OpenSSL.

If you want to include custom SANs for the host you are requesting the certificate for, you can provide them in the request. SANs must be specified in the OpenSSL configuration file.

Please note that each SAN should be either:

  • The name of a host registered in LanDB for which you are main user or responsible.
  • A DNS alias resolving to a host for which you are main user or responsible.

To generate a request with SANs using OpenSSL, add the following sections to the openssl.cfg (openssl.conf on Linux) before executing the command:

req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

DNS.1   = host1.cern.ch
DNS.2   = host2.cern.ch

Created: 3/10/2020
Last reviewed: 5/2/2022
Send the page Send  |  Printable version Print