So by using the common syntax for OpenSSL subject written via command line you need to specify all of the above (the OU is optional) and add another section called subjectAltName=. I've generated a basic certificate signing request (CSR) from the IIS interface. -config /etc/pki/tls/openssl.cnf Requested Extensions: X509v3 Subject Alternative Name: IP Address:1.2.3.4 @EddieJennings said in OpenSSL CSR with Subject Alternative Name: @JaredBusch Correct. subjectnames.txt, ホスト名を書く場合は「DNS」で、IPアドレスで書く場合は「IP」で指定します。ワイルドカード(*)も使用可能です。, 「X509v3 Subject Alternative Name」に、指定したsubjectAltNameが含まれるようになります。, ここで注意ですが、SAN拡張を含めた証明書は、元のSubjectを無視するようになります。このページで作成した証明書でいくと、Common Nameを「hoge.com」に Organization Name (eg, company) [Default Company Ltd]:Kaede Public-Key: (4096 bit) ----- .........................................++ Got there in the end though! a8:e2:e7:94:c8:29:22:b4 Note: In the example used in this article the configuration file is "req.conf". X509v3 Subject Alternative Name: If you enter '. The Subject Alternative Name (SAN) is an extension to the X.509 specification that allows users to specify additional host names for a single SSL certificate. 99:7b:97:01:21:24:8e:65 A SAN certificate is a term often used to refer to a multi-domain SSL certificate. Create the OpenSSL Private Key and CSR with OpenSSL 2 openssl commands in series openssl genrsa -out srvr1-example-com-2048.key 4096 openssl req -new -out srvr1-example-com-2048.csr -key srvr1-example-com-2048 Change alt_names appropriately. SAN(Subject Alternative Name)フィールド を含むSSL証明書を作成する手順を作成します。 概要 IISのサーバー証明書作成でドメイン名を指定した証明書を作成した場合、Google Chromeではエラーが発生する場合があります。 場合があります。 Organizational Unit Name (eg, section) []: ----- Should subject alternative name displayed by openssl … into your certificate request. Note: While it is possible to add a subject alternative name (SAN) to a CSR using OpenSSL, the process is a bit complicated and involved. Public Key Algorithm: rsaEncryption The "ye olde way" is how I've typically made a CSR and private key. していました。, SAN拡張を使用した場合、この証明書で「hoge.com」は無効となりますので、注意しましょう。, このSSL証明書をApacheに組み込んで、「証明書のサブジェクトの代替名」を確認すると、こんな感じに見ることができます。, 「-extfile」は、x509サブコマンドのオプションのようなので、こちらではムリっぽいですね。, Kazuhiraさんは、はてなブログを使っています。あなたもはてなブログをはじめてみませんか?, Powered by Hatena Blog Signature Algorithm: sha256WithRSAEncryption IP.1 = 192.168.1.1 Check your third party TLS certificates for subject alternative names (SAN) in a container formatted pem file commonly used with UCP: # openssl x509 -text -noout -in server-cert.pem | grep "X509v3 Subject Alternative Name" -A1 X509v3 Subject Alternative Name: DNS:*.example.com, IP Address:127.0.0.1 Signature Algorithm: sha256WithRSAEncryption Data: The link I included talks about making a configuration file, which allows you to include SAN in your CSR. Validity Issuer: C=JP, ST=Osaka, L=Osaka, O=Kaede, CN=kaede.jp (2015-03-25 01:12:44 +09:00 版) So, after doing some searches, it seems that OpenSSL is the best solution for this. key \ -out . Data: $ cat << EOL > san.conf [ req ] default_bits = 2048 default_keyfile = san.key #name of the keyfile distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) … Locality Name (eg, city) [Default City]:Osaka Encrypting a p12 certificate. ~~~~~~省略~~~~~~ 1. I wish to configure OpenSSL such that when running openssl req -new to generate a new certificate signing request, I am prompted for any alternative subject names to include on the CSR.. CA:FALSE Resolution. $ openssl genrsa -out ${SHORT_NAME}.key 4096 Generate Server CSR Now we will generate the certificate request using the domain Key and the domain answer file which we created in the beginning of the this tutorial. If you enter '. ', the field will be left blank. 00:d1:0f:87:dd:81:5e:6e:1b:d1:e8:17:1c:5b:78: ----- [root@localhost serverAuth]# /opt/openssl/1.1.1/bin/openssl req -extensions v3_req -new \ X509v3 Subject Alternative Name: DNS:my-project.site and Signature Algorithm: sha256WithRSAEncryption. Public-Key: (4096 bit) DNS.3 = bbb.kaede.jp 複数ホスト名に対応させる場合は、次のようなテキストファイルを用意します。. Version: 3 (0x2) Common Name (eg, your name or your server's hostname) []:kaede.jp into your certificate request. みたいにDNS NameのところにIPアドレスが 書いてある証明書のせいみたいなんです。[10] 369112 – With HTTPS, the Subject Common Name gets ignored if subjectAltName extension is present. Generating a 4096 bit RSA private key Create a Certificate Signing Request (CSR) "openssl req -newkey rsa:2048 -keyout server_key.pem -out server_req.pem" Review the CSR to verify the Subject Alternative Name has been added as expected "openssl req -text -in server_req.pem" [/text] ####IP.〇も同様の方法で記載可能 マルチドメインを1枚の証明書で作成したい場合には必須の属性でした。(ワイルドカードもOK), opennsslで証明書発行要求(CSR)にDNS情報またはIPアドレス情報を付与する場合は2通りの方法があります。, openssl.cnfに「subjectAltName」属性を付与し、そこにDNS情報またはIPアドレス情報を記載していく方法です。 So I have been able to create a Certificate Signing Request with a Subject Alternative Name of the form subjectAltName=IP:1.2.3.4 by following the recipe in a previous (splendid) answer.. Digital Signature, Non Repudiation, Key Encipherment 0. openSSL Key and Certificate. X509v3 Subject Alternative Name: DNS:binfalse.de To quick-check one of your websites you may want to use the following grep filter: openssl s_client -showcerts-connect binfalse.de:443