Generate SSL Certificates with SAN Attributes

This document will guide you through creating a Certificate Signing Request (CSR) with Subject Alertnative Names (SAN).

Table of Contents

Getting Started

These instructions have been run on a RHEL Linux system.

SAN stands for “Subject Alternative Names” and this helps you to have a single certificate for multiple CN (Common Name). In SAN certificate, you can have multiple complete CN.

For example:


You can have the above domains and more in a single certificate. One use case for this is loadbalancing, the Virtual IP could be the CN and then the hosts behind the LB would be the SAN entries.

Next we look at a real life example of, which has many SAN entries in a single certificate. SAN

As you can see in the screenshot there are multiple SAN entries for the URL.


A working installation of OpenSSL

[root@server ~]# yum install openssl

Create CSR Config

Create a directory to hold the CSR, Key and eventually the Certificate

[user@server ~]$ cd /tmp
[user@server ~]$ mkdir /tmp/san_cert
[user@server ~]$ cd /tmp/san_cert

Create a file called san.cnf

[user@server ~]$ touch /tmp/san_cert/san_cert.cnf
[user@server ~]$ vi /tmp/san_cert/san_cert.cnf

Add the following content to the /tmp/san_cert/san_cert.cnf file

[ req ]
default_bits             = 2048
distinguished_name       = req_distinguished_name
req_extensions           = v3_req
prompt                   = no

[ req_distinguished_name ]
countryName              = DE
stateOrProvinceName      = BY
localityName             = Munich
organizationName         = SomeCompany
organizationalUnitName   = SomeUnit
commonName               =
emailAddress             =

[ v3_req ]
subjectAltName    = @alt_names

DNS.1             =
IP.1             =
DNS.2             =
IP.2             =
DNS.3             =
IP.3             =

To add additional SAN records, add to the alt_names section and save the file

Create the CSR

Execute the following OpenSSL command, which will generate CSR and KEY file

[user@server ~]$ openssl req -out /tmp/san_cert/san_cert.csr -newkey rsa:2048 -nodes -keyout /tmp/san_cert/san_cert_private.key -config /tmp/san_cert/san_cert.cnf

This will create san_cert.csr and san_cert_private.key in the /tmp/san_cert/ directory. You have to send san_cert.csr to certificate signing authority so they can generate and provide you the certificate with SAN attributes.


Verify the CSR

You can verify the CSR has been created with the SAN atrributes by running the following command, the output should list DNS and IP entries, if nothing is returned there is a problem with the cnf file.

[user@server ~]$ openssl req -noout -text -in /tmp/san_cert/san_cert.csr | grep DNS
      , IP Address:,, IP Address:,, IP Address: