OpenSSL CSR with SAN

From KlavoWiki
Jump to navigationJump to search

Create Request

openssl req -new -newkey rsa:4096 -nodes -config /opt/ssl.conf -subj "/C=AU/ST=Queensland/L=Ipswich/O=Home/CN=email.testforme.com" -outform pem -out sslrequest.csr -keyout private.key

Verify Request File

openssl req -in sslrequest.csr -noout -text -verify


Configuration File

vi /opt/ssl.conf
[ req ]
default_bits       = 4096
default_keyfile    = privkey.pem
default_md         = sha256
distinguished_name = req_distinguished_name
req_extensions     = req_ext
attributes         = req_attributes

[ req_distinguished_name ]
countryName_default          = AU
stateOrProvinceName_default  = Queensland
localityName_default         = Ipswich
commonName_default           = email.testforme.com
emailAddress_default         = postmaster@testforme.com
organizationName_default     = No Org
organizationalUnitName_default = No Unit

[ req_attributes ]
# We don't want these, but the section must exist


[ req_ext ]
keyUsage         = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth,serverAuth
subjectAltName   = @alt_names

[ alt_names ]
DNS.1 = email.testforme.com
DNS.2 = mail.testforme.com
DNS.3 = autodiscover.testforme.com
DNS.4 = mail.klaverstyn.com
DNS.5 = autodiscover.klaverstyn.com
DNS.6 = mail.klaverstyn.com.au
DNS.7 = autodiscover.klaverstyn.com.au
DNS.8 = home.klaverstyn.com.au
DNS.9 = mail.home.klaverstyn.com.au