OpenSSL CSR with Subject Alternative Names
##########################################
:date: 2012-02-07 09:54
:tags: openssl, csr, subjectAltName

I had the requirement to create a certificate with a subject Alternative Name
(additional dns names for the same host). Again it turned out not to be that
simple. A extra configuration has to be created and the SubjectAltName can be
added in this config for the Signing Request. 

We will create a private key file together with a CSR.

SubjectAltName in Certificate Signing Request
=============================================


.. code-block:: bash

    #?/bin/sh

    cat > my.cnf <<EOF
    [ req ]
    default_bits        = 2048
    default_keyfile     = privkey.pem
    distinguished_name  = req_distinguished_name
    req_extensions     = req_ext # The extentions to add to the self signed cert
    
    [ req_distinguished_name ]
    countryName           = Country Name (2 letter code)
    countryName_default   = DE
    stateOrProvinceName   = State or Province Name (full name)
    stateOrProvinceName_default = Upper Corner
    localityName          = Locality Name (eg, city)
    localityName_default  = Internet
    organizationName          = Organization Name (eg, company)
    organizationName_default  = Krebs Co
    commonName            = Common Name (eg, YOUR name)
    commonName_default    = euer.krebsco.de
    commonName_max        = 64
    
    [ req_ext ]
    subjectAltName          = @alt_names
    
    [alt_names]
    DNS.1   = euer.krebsco.de
    DNS.2   = euer
    EOF

    openssl req -new -nodes -out my.csr -config my.cnf
    openssl req -noout -text -in my.csr