subjectAltName must always be used (RFC 2818, 1. paragraph)

If you set subjectAltName, you have to use it for all host names, email addresses, etc.

CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software.

As of chrome 58+ this is why you will have problems and should follow these instructions :)


Enough with the warnings…let’s get shit done!

Copy openssl.cnf

while not necessary since the openssl.cnf has the CA sections separate from the user sections, I like to get my CA setup self-contained in a directory.

your cwd needs to be wherever you’re gonna generate. if you don’t know what that means quit now!

  • Ubuntu/Debian
    cp /etc/ssl/openssl.cnf openssl-san.cnf
  • RedHat/CentOS
    cp /etc/pki/tls/openssl.cnf openssl-san.cnf
  • Cygwin (MinGW?)
    cp /usr/ssl/openssl.cnf openssl-san.cnf
  • MacOSX (El Capitan)
    cp /System/Library/OpenSSL/openssl.cnf openssl-san.cnf

Edit openssl-san.cnf

req_extensions = v3_req
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
DNS.1 = server1.yourdomain.tld
DNS.2 = mail.yourdomain.tld
DNS.3 = www.yourdomain.tld
DNS.4 = www.sub.yourdomain.tld
DNS.5 = mx.yourdomain.tld
DNS.6 = support.yourdomain.tld

Generate the CSR

My notes on generating private keys and CSR’s. (that I never remember)

Used with, for example, a new HTTPS server.

Simultaneous key and request generation

openssl req -newkey rsa:4096 -nodes -keyout -out -days 365

-nodes places an unencrypted copy of the private key in the server’s key file. This is typically used so that the sysadmin doesn’t need to type in the password when restarting apache; for example.

!!!You should secure this with restrictive permissions at a minimum!!!

Answer the prompts noting:

  1. CN (A.K.A Common Name) section is the name of the server (e.g.
  2. extra attributes (namely challenge password and optional company name) can be ignored by using the enter (return) key

Setting permissions on the new key

chown root:root
chmod 0400

Generate a CSR using an existing key

Used, for example, to sign your own intermediate CA certificate

openssl req -new -config openssl.cnf -key private/ -out -days 1825

since you’re specifying the openssl.cnf, all prompts should all be defaulted as desired.

Request signing

Now send off the server.csr to your CA.

once sent, the CSR is no longer needed.

Prepare a PKCS#12 file

Combines the public and private key in an encrypted format (symmetrical) for use with email clients, etc.

  • Before 2011–02–19 (needs the CA cert)
    openssl pkcs12 -export -in my.crt -inkey my.key -in root.pem -out my.p12
  • On or after 2011–02–19 (doesn’t need CA cert)
    openssl pkcs12 -export -in my.crt -inkey my.key -out my.p12

See Also