How to create SSL certificate request with SAN (Subject alternate names) using OpenSSL

By / July 7, 2022

Readers who follow my blog know that I am an avid writer on Power Apps and Dynamics 365. And this blog is about creating a SSL certificate with SAN using OpenSSL.

I have been working for a Dynamics 365 on-premise and the requirement was to go IFD. And it’s quite obvious that for IFD I shall need a certificate with SAN. This blog is generic and caters to the requirement to generate the certificate request with SAN using openssl.

If you do a little bit of searching in Google, the first thing you need to do is to create a .cnf file in the below format.

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = bestflare.com
DNS.2   = usefulread.com
DNS.3   = chandank.com

In my case .cnf file looked like below. Saved the file as san.cnf

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = IN
stateOrProvinceName         = Karnataka
localityName               = Bangalore
organizationName           = ABC Corp
commonName                 = crmwin.sample.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = san1.sample.com
DNS.2   = san2.sample.com
DNS.3   = san3.sample.com

And then run the below command in OpenSSL command prompt.

openssl req -out certrequest.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf

Well everything worked fine and the .csr file got created as well. However when we verified the certificate request, we could not find the subject alternate names.

But why this issue? It is quite obvious that there needs to be some changes in .cnf file. And below is format of .cnf file that finally worked out for us.

[req] default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = IN
ST = Karnataka
L = Bangalore
O = ABC Corp
OU = IT
CN = crmwin.sample.com

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1   = san1.sample.com
DNS.2   = san2.sample.com
DNS.3   = san3.sample.com

Now when you run the openssl command again, everything works fine.

openssl req -out certrequest.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf

Verified the same through SSL checker at the following link – SSL CSR Validation. Everything as expected.

The trick here is perhaps the [v3_req] highlighted in bold.

Hope this helped!

You will also like the below posts.

Debajit Dutta
Business Solutions MVP