# How to generate a self-signed SAN SSL/TLS certificate using openssl Generating a self-signed certificate is a common taks and the command to generate one with `openssl` is well known and well documented. Generating a certificate that includes subjectAltName is not so straght forward however. The following example demonstrates how to generate a SAN certificate without making a permanent change to the openssl configuration. ## Generate a list of all required DNS names, (Note: CN will be discarded). ``` $ export SAN="DNS:www.domain.localdomain,DNS:domain.localdomain" ``` ## Generate a configuration with the addition of the san extension. _NOTE:_ On OSX [EL Capitan] the openssl configuration file path is: `/System/Library/OpenSSL/openssl.cnf` instead of the RHEL/CentOS default of `/etc/pki/tls/openssl.cnf`. ``` $ cat \ /etc/pki/tls/openssl.cnf \ - \ <<-CONFIG > /tmp/www.domain.localdomain.cnf [ san ] subjectAltName="${SAN:-root@localhost.localdomain}" CONFIG ``` ## Generate the certificate using the additional parameters -config, -reqext, and -extensions: ``` $ openssl req \ -x509 \ -sha256 \ -nodes \ -newkey rsa:2048 \ -days 365 \ -reqexts san \ -extensions san \ -subj "/CN=www.domain.localdomain" \ -config /tmp/www.domain.localdomain.cnf \ -keyout /etc/pki/tls/private/www.domain.localdomain.crt \ -out /etc/pki/tls/certs/www.domain.localdomain.crt ``` ## Generate a new Diffie-Hellman Group _Warning!_ this takes a while... ``` $ openssl dhparam \ -out /tmp/dhparams.pem \ 2048 ``` Append the DH PARAMS to the certificate. ``` $ cat /tmp/dhparams.pem \ >> /etc/pki/tls/certs/www.domain.localdomain.crt ``` # OR below command openssl req -newkey rsa:4096 \ -x509 \ -sha256 \ -days 365 \ -nodes \ -out www.domain.localdomain.crt \ -keyout www.domain.localdomain.key \ -subj "/C=US/ST=California/L=local/O=DEPT/OU=IT/CN=www.domain.localdomain" \ -addext "subjectAltName=DNS:www.domain.localdomain"