Signing a CSR containing subjectAltName (SAN/UCC) extensions isn’t hard, but can be a daunting challenge for the OpenSSL neophyte. We’re going to use the OpenSSL Self-Signed CA to accomplish this task in two ways.

Pre-Existing SAN CSR

Either you already have a SAN CSR from another source or you generated one using the tutorial from yesterday. Inside your myca.conf file you’ll need to add the following under the [ myca ] section.

copy_extensions	= copy

Now you can simply sign the CSR using the method specified in the self-signed CA post and you’re all set.

Add SAN/UCC Extensions to Existing CSR

To accomplish this add the following to your myca.conf under the [ myca_extensions ] section.

subjectAltName          = @alt_names

Then add this section at the end of the file.

DNS.1   =
DNS.2   =
DNS.3   =

Set the DNS entries under alt_names to what you want (adding DNS.4 = if you need more, et cetera). Be sure you do not have the copy_extensions directive present in your conf. Once you have done this you can sign any CSR you choose with the command specified in the self-signed CA article and it will add the specified subjectAltName attributes to the certificate.