To create a SelfSigned OpenSSL certificate on one line which contains subjectAltName(s) you must use
-config as follows.
openssl req \ -newkey rsa:4096 \ -days 3650 \ -nodes \ -x509 \ -subj "/C=US/ST=Distributed/L=Cloud/O=Cluster/CN=*.api-scispike.com" \ -extensions SAN \ -config <( cat $( [[ "Darwin" -eq "$(uname -s)" ]] && echo /System/Library/OpenSSL/openssl.cnf || echo /etc/ssl/openssl.cnf ) \ <(printf "[SAN]\nsubjectAltName='DNS.1:*.api-scispike.com,DNS.2:api.scispike.com,DNS.3:app.scispike.com'")) \ -keyout private_key.pem \ -out server.crt
Looking at the output of
x509 you should be able to see
X509v3 extensions indicating our success.
$ openssl x509 -noout -certopt no_sigdump,no_pubkey -text -in server.crt Certificate: Data: Version: 3 (0x2) Serial Number: b1:93:3d:ed:5f:48:64:b4 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Distributed, L=Cloud, O=Cluster, CN=*.api-scispike.com Validity Not Before: Jun 11 00:25:48 2016 GMT Not After : Jun 9 00:25:48 2026 GMT Subject: C=US, ST=Distributed, L=Cloud, O=Cluster, CN=*.api-scispike.com X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.api-scispike.com, DNS:api.scispike.com, DNS:app.scispike.com
I came up with this solution by piecing together man pages and random google result. I was surprised at how many incomplete and inaccurate answers were out there. What may have been more surprising was the complete lack of a full intact solution.
Some examples simply output
csrs or require creating larger portions of
openssl.cnf. The worst were examples which appended
subjectAltName to the
subject. They look like they are going to work but then don't.
Inspiration for my approach came from this nearly complete answer at StackExchange: Provide subjectAltName to openssl directly on command line. Buried near the bottom is a partial example (which i originally missed) which indicates
-extensions rather than
-reqexts. This is rather an important detail considering we are trying to make a certificate not a