OpenSSL SAN/UCC Certificate Generation
Signing a CSR containing subjectAltName (SAN/UCC) extensions isn’t hard, but can be a daunting challenge for the OpenSSL neophyte. We’re going to use the OpenSSL Self-Signed CA to accomplish this task in two ways.
Pre-Existing SAN CSR
Either you already have a SAN CSR from another source or you generated one using the tutorial from yesterday. Inside your myca.conf file you’ll need to add the following under the [ myca ] section.
copy_extensions = copy
Now you can simply sign the CSR using the method specified in the self-signed CA post and you’re all set.
Add SAN/UCC Extensions to Existing CSR
To accomplish this add the following to your myca.conf under the [ myca_extensions ] section.
subjectAltName = @alt_names
Then add this section at the end of the file.
[alt_names] DNS.1 = test.domain.com DNS.2 = other.domain.com DNS.3 = www.domain.net
Set the DNS entries under alt_names to what you want (adding DNS.4 = if you need more, et cetera). Be sure you do not have the copy_extensions directive present in your conf. Once you have done this you can sign any CSR you choose with the command specified in the self-signed CA article and it will add the specified subjectAltName attributes to the certificate.