Specifying Subject Alternative Names with OpenSSL

This page explains how to add Subject Alternative Names (SANs) to a host certificate request using OpenSSL.

If you want to include custom SANs for the host you are requesting the certificate for, you can provide them in the request. SANs must be specified in the OpenSSL configuration file.

Please note that each SAN should be either:

The name of a host registered in LanDB for which you are main user or responsible.
A DNS alias resolving to a host for which you are main user or responsible.

To generate a request with SANs using OpenSSL, add the following sections to the openssl.cfg (openssl.conf on Linux) before executing the command:

[req]
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1   = host1.cern.ch
DNS.2   = host2.cern.ch

Created:

3/10/2020

Last reviewed:

5/2/2022

Tools:

Send the page

Printable version

CERN Certification Authority

Specifying Subject Alternative Names with OpenSSL

Related sites

CERN Accelerating science

CERN Certification Authority

Specifying Subject Alternative Names with OpenSSL

Related sites