Create a Multi-Domain Certificate Signing Request (CSR)

important
  • The Subject Alt Names are required in Google Chrome 58 and later, and is used to match the domain name and the certificate.
  • If the domain name is not listed in the certificate's Subject Alternative Names list, you'll get a NET::ERR_CERT_COMMON_NAME_INVALID error message.

1. Generate an OpenSSL CSR Config with your domain information#

cat <<"EOF" | sudo tee /tmp/tls.conf > /dev/null
[req]
default_bits = 2048
default_keyfile = tls.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = LK
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Western Province
localityName = Locality Name (eg, city)
localityName_default = Colombo
organizationName = Organization Name (eg, company)
organizationName_default = Zone24x7 (Private) Limited
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = zone24x7.com
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = zone24x7.com
DNS.2 = *.zone24x7.com
DNS.3 = zone24x7.lk
DNS.4 = *.zone24x7.lk
EOF

2. Generate a Certificate Signing Request (CSR)#

sudo openssl req -new -nodes -key tls.key -config /tmp/tls.conf -out tls.csr

3. References#

  1. Create a Self-Signed Certificate for Nginx in 5 Minutes
  2. Establishing Trust to Your Cluster’s CA and Importing Certificates
  3. X509 Certificate Generator
Last updated on by Yasitha Bogamuwa