Create key and CSR for multi-domain certificate.

If you want to secure multiple domains with one TLS/SSL certificate you will need to use multi-domain certificate with more than one Subject Alternative Name (SAN) specified in it.

Following is the procedure to create CSR for multiSAN certificate with openSSL.

First create a config file that will contain SAN information and all other parameters that need to be passed to openSSL to create CSR file.

Create multisan.conf file with following content.

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
default_keyfile = multisan.key
prompt = no

[req_distinguished_name]
C = CountryCode (US,GB,...)
ST = State
L = City
O = OrganizatioName
OU = OrganizationUnit
CN = server.domain1.com

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = server.domain1.com
DNS.2 = server.domain2.com
DNS.3 = server.domain3.com

Once multisan.conf file has been created create CSR file and private key to be used with certificate with following command:

openssl req -new -nodes -out multisan.csr -config multisan.conf

This will automatically write private key to multisan.key file in the same location you executed the command.

openssl req -new -nodes -out multisan.csr -config multisan.conf 
Generating a 2048 bit RSA private key
.......+++++
.......................................................................+++++
writing new private key to 'multisan.key'

Once CSR and key files have been created you can confirm CSR content with following command:

openssl req -text -noout -in multisan.csr

Now that you have CSR file you can upload that CSR to your TLS/SSL certificate vendor to order issuing of the certificate.

One thought on “Create key and CSR for multi-domain certificate.”

  1. This howto is very good starting point – thank you!
    Just one small correction needed (to become perfect):
    CN = server.domain1.com is good to appear once:

    [req]
    distinguished_name = req_distinguished_name
    req_extensions = v3_req
    default_keyfile = multisan.key
    prompt = no

    [req_distinguished_name]
    C = CountryCode (US,GB,…)
    ST = State
    L = City
    O = OrganizatioName
    OU = OrganizationUnit
    CN = server.domain1.com

    [v3_req]
    keyUsage = keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names

    [alt_names]
    DNS.2 = server.domain2.com
    DNS.3 = server.domain3.com

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.