Create a Multi-Domain Certificate Signing Request (CSR)

important

• The Subject Alt Names are required in Google Chrome 58 and later, and is used to match the domain name and the certificate.
• If the domain name is not listed in the certificate's Subject Alternative Names list, you'll get a NET::ERR_CERT_COMMON_NAME_INVALID error message.

1. Generate an OpenSSL CSR Config with your domain information

cat <<"EOF" | sudo tee /tmp/tls.conf > /dev/null

[req]

default_bits = 2048

default_keyfile = tls.key

distinguished_name = req_distinguished_name

req_extensions = req_ext

x509_extensions = v3_ca

[req_distinguished_name]

countryName = Country Name (2 letter code)

countryName_default = LK

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = Western Province

localityName = Locality Name (eg, city)

localityName_default = Colombo

organizationName = Organization Name (eg, company)

organizationName_default = Zone24x7 (Private) Limited

organizationalUnitName = organizationalunit

organizationalUnitName_default = Development

commonName = Common Name (e.g. server FQDN or YOUR name)

commonName_default = zone24x7.com

commonName_max = 64

[req_ext]

subjectAltName = @alt_names

[v3_ca]

subjectAltName = @alt_names

[alt_names]

DNS.1 = zone24x7.com

DNS.2 = *.zone24x7.com

DNS.3 = zone24x7.lk

DNS.4 = *.zone24x7.lk

EOF

2. Generate a Certificate Signing Request (CSR)

sudo openssl req -new -nodes -key tls.key -config /tmp/tls.conf -out tls.csr

3. References

1. Create a Self-Signed Certificate for Nginx in 5 Minutes
2. Establishing Trust to Your Cluster’s CA and Importing Certificates
3. X509 Certificate Generator