For testing reasons I wanted to create a self-signed certificate that includes the subject alternative name extension, using openssl. Most guides require the creation of an openssl configuration file. I found out that this can be done without any configuration file, using only two openssl commands and a file that contains the subject alternative name extension parameters.
The first command is the following:
This command creates a new private key and a new certificate signing request. Let's see the command parameters:
Now create a file and insert the subject alternative name extension parameters. In this example, I have created a file named
This line indicates that this certificate is valid for two DNS names, namely example.com and localhost. You may notice that the CN name included in the -subj command line parameter is also included here; the reason for that is because most browsers ignore the CN field when the subject alternative name extension is used. Finally the following command creates the desired certificate
Where:
The first command is the following:
openssl req -newkey rsa:1024 -keyout server.key -out server.csr -subj '/C=GR/ST=Attiki/L=Athens/O=Fotiou Corp/OU=Security Department/CN=localhost/emailAddress=my@email.address' -nodes
This command creates a new private key and a new certificate signing request. Let's see the command parameters:
-newkey rsa:1024
It creates an RSA 1024 bits key-keyout server.key
This is the file where the private key is stored-out server.csr
This the file where the certificate signing request is stored -subj ...
This is the information included in the certificate-nodes
This command parameter instructs openssl to not encrypt the private key
Now create a file and insert the subject alternative name extension parameters. In this example, I have created a file named
extentions.cnf
which contains the following text:subjectAltName=DNS:example.com, DNS:localhost
This line indicates that this certificate is valid for two DNS names, namely example.com and localhost. You may notice that the CN name included in the -subj command line parameter is also included here; the reason for that is because most browsers ignore the CN field when the subject alternative name extension is used. Finally the following command creates the desired certificate
openssl x509 -req -days 365 -signkey server.key -in server.csr -out server.crt -extfile extentions.cnf
Where:
-days 3650
It is the number of days for which the certificate is valid-signkey server.key
It is the private key generated previously and it used to sign the certificate-in server.csr
The certificate signing request we created with the previous command-out server.crt
The file in which the certificate will be stored-extfile extentions.cnf
The file we created with the subject alternative name extension parameters