If you want to use an SSL certificate with multiple domain names, you can order an SSL certificate via our site and use this article to learn how to create a Certificate Signing Request (CSR) for multiple domains or subdomains.

In this short article, we explain how to use OpenSSL to create a private key and certificate signing request (CSR) for an SSL certificate with multiple domain names (SAN). These commands work on any OS that supports OpenSSL (e.g. Mac OS, WSL, Linux distros).

SSL certificates with SAN (multiple domains) are often used to secure multiple websites or appliances where the use of a wildcard SSL certificate is not possible. These are often SSL certificates with Organisation Validation (OV) or Extended Validation (EV).

Generating a private key

The following command allows you to generate a private key (.key file). We will need this later to complete the CSR request:

openssl genrsa -out mydomain.be.key 2048

This is for a key with 2048 bits. You can also opt for a higher value (e.g. 4096).

Generating the certificate signing request (CSR) file

If you want to generate an SSL certificate request for multiple domain names in the same SSL certificate (so-called SANs), you should work with a configuration file. Create a new file (with e.g. vi or nano) and save it as mydomain.be.conf

[ req ]
default_bits = 2048
encrypt_key = no
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = req_distinguished_name
req_extensions = req_ext


[ req_distinguished_name ]
countryName = COUNTRYCODE (e.g. BE)
stateOrProvinceName = YOUR PROVINCE
localityName = YOUR CITY
organisationName = YOUR COMPANY
organizationalUnitName = YOUR DEPARTMENT NAME
commonName = mydomain.be


[ req_ext ]
subjectAltName = @alt_names


[alt_names]
DNS.1 = mydomain.be
DNS.2 = subdomain1.mydomain.be
DNS.3 = subdomain2.mydomain.be

Of course, adjust countrycode, state, locality, organization, organizationunit and commonName to the values you will use.

In the alt_names list, you can put the domains and subdomains.

The next step is to generate the CSR request, this can be done using the following command:

openssl req -new -sha256 -out mydomain.be.csr -key mydomain.be.key -config mydomain.be.conf

A .csr file will now be created based on the key you created and the values you placed in the config file.

Verification of the CSR file

The last step is to see if the certificate signing request (CSR) was created correctly. This is easily done using the following command:

openssl req -in mydomain.be.csr -noout -text

This will decode the CSR request and display it in text. If all went well you should get a result similar to the one below:

Certificate Request:
 Data:
 Version: 1 (0x0)
 Subject: C = BE, ST = YOUR PROVINCE, L = YOUR CITY, O = YOUR COMPANY, OU = YOUR DEPARTMENT NAME, CN = mydomain.be
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (2048 bit)
 Modulus:
 00:de:15:ab:40:d1:90:c6:4d:36:33:35:4b:a5:67:
 79:6e:42:33:c9:ac:22:1c:ae:10:cf:4c:85:85:39:
 7a:43:b3:1b:4d:93:36:0e:78:6a:f5:95:e7:33:39:
 ae:22:25:6c:c1:f6:a0:f1:d3:ee:da:66:41:84:9e:
 b0:21:52:fb:d7:50:db:78:85:8d:c8:ff:90:9b:b3:
 df:8f:93:0b:fc:c2:1c:ec:0f:c6:64:c7:30:f7:9f:
 cb:91:dc:46:9e:72:65:0e:3a:b7:d9:3b:80:d9:f2:
 40:b0:cf:9f:b5:96:ad:c4:c0:f5:df:9a:42:73:fc:
 5d:07:ce:15:92:69:a1:c3:da:d1:3b:ff:2e:d4:48:
 6b:54:73:25:80:79:27:cb:4c:0f:26:af:1d:36:b4:
 c0:b4:77:97:88:1b:4f:53:b3:aa:7f:89:97:9b:07:
 e0:b5:33:00:da:90:13:58:26:0e:f1:0a:6e:cd:62:
 dd:2c:8a:cd:49:d6:03:4f:52:b5:a4:74:74:54:20:
 4f:42:1d:5e:7a:a1:bf:06:42:d8:0a:d9:1c:81:30:
 33:03:b6:44:eb:a1:10:66:12:f0:99:51:43:04:1d:
 97:c4:ad:9b:49:f9:65:e0:ca:bc:65:c6:fa:42:2b:
 bb:d2:80:44:6b:83:6e:b7:a0:9a:72:ee:10:45:b2:
 77:61
 Exponent: 65537 (0x10001)
 Attributes:
 Requested Extensions:
 X509v3 Subject Alternative Name:
 DNS:mydomain.be, DNS:subdomain1.mydomain.be, DNS:subdomain2.mydomain.be
 Signature Algorithm: sha256WithRSAEncryption
 Signature Value:
 87:d4:85:7b:e4:51:91:18:f5:34:d9:13:92:c1:9a:a8:25:df:
 11:5d:bc:89:90:91:3b:a2:ff:76:b1:a8:37:d4:0a:92:34:21:
 d8:fa:22:53:ca:a7:a5:61:65:2d:05:84:13:8c:31:08:09:c9:
 6a:73:37:b5:15:b2:0e:18:94:37:7c:26:42:f9:29:9b:52:70:
 1b:c4:30:4b:a5:f9:52:27:a3:34:ee:98:41:d8:1b:01:64:81:
 f2:8e:c1:33:67:e7:25:eb:bf:9a:7e:49:d1:61:41:90:d7:b9:
 2f:d9:90:9f:4b:e8:77:9b:f0:03:5b:23:6a:77:ba:a8:4f:df:
 3e:f2:7d:63:3e:aa:28:df:57:0e:05:bf:d1:fd:b9:83:00:80:
 09:65:09:c4:19:90:68:ab:3b:65:d3:b6:ec:d8:34:4a:04:71:
 d4:e0:83:21:43:3a:40:61:ce:f2:a3:fe:d0:50:89:aa:65:e1:
 00:91:21:f0:bc:0c:c9:b0:a4:b0:fc:28:db:16:5a:c5:ef:f7:
 01:e0:96:28:17:b0:25:40:35:ab:2c:83:0d:b5:55:d2:61:d7:
 ea:05:15:cd:b4:42:36:29:08:93:bc:f0:48:4e:9d:f0:44:47:
 31:ea:6c:9c:d4:15:da:80:a8:c1:60:7c:46:76:c7:f7:66:11:
 80:00:91:bd

With this CSR request you can order, for example, a GlobalSign OrganizationSSL certificate with SAN!