OpenSSL CSR with Different Names one-line

Emanuele “Lele” Calò

October 30, 2014

2017-02-16—​Edit—​I modified this publish to make use of a distinct technique than what I used within the unique model trigger X509v3 extensions weren’t created or seen appropriately by many certificates suppliers.

I discover it exhausting to recollect a interval in my complete life wherein I issued, reissued, renewed and revoked so many certificates.

And whereas that’s often enjoyable and fascinating, there’s one factor I typically wanted and by no means discovered, until a couple of days in the past, which is the right way to generate CSRs (Certificates Signing Requests) with AlternativeNames (eg: together with www and non-www area in the identical cert) with a one-liner command.

This want is because of the truth that some certificates suppliers (like GeoTrust) don’t cowl the mum or dad area when requesting a brand new certificates (eg: CSR for gained’t cowl, until you particularly request so.

Fortunately that’s not the case with different Certificates merchandise (like RapidSSL) which already supply this function built-in.

This situation is beginning to be problematic extra typically since we’re seeing a rising variety of prospects supporting websites with HTTPs connections masking each www and “non-www” subdomains for his or her web site.

Fortunately the answer is fairly easy and straight-forward and the one requirement is that you must kind the CSR topic on the command line immediately, principally with out using the interactive query mechanism.

For those who managed to grasp how an SSL certificates works this shouldn’t be an enormous drawback, anyway simply as a recap right here’s the listing of the which means for the widespread Topic entries you’ll want:

  • C — Nation
  • ST — State
  • L — Metropolis
  • O — Group
  • OU — Group Unit
  • CN — Frequent Identify (eg: the principle area the certificates ought to cowl)
  • emailAddress — primary administrative level of contact for the certificates

So by utilizing the widespread syntax for OpenSSL topic written through command line you have to specify all the above (the OU is elective) and add one other part referred to as subjectAltName=.

By including DNS.n (the place n is a sequential quantity) entries underneath the “subjectAltName” area you’ll be capable to add as many extra “alternate names” as you need, even not associated to the principle area.

Clearly the first-level mum or dad area shall be lined by most SSL merchandise, until specified otherwise.

So right here’s an instance to generate a CSR which can cowl * and, multi functional command:

openssl req -new -sha256 -nodes -out * -newkey rsa:2048 -keyout * -config <(
cat <<-EOF
default_bits = 2048
immediate = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
ST=New York
O=Finish Level
OU=Testing Area
CN =

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 =
DNS.2 =

To be trustworthy, that’s a sub-optimal answer for a couple of causes however principally that it’s not snug to repair in case you probably did a typo or related.

That’s why I desire making a devoted file (you could additionally reuse in future) after which pipe that in openssl.

In fact you should utilize your textual content editor of alternative, I used HEREDOC principally as a result of it exhibits higher by way of weblog posts for my part.

cat > csr_details.txt <<-EOF
default_bits = 2048
immediate = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
ST=New York
O=Finish Level
OU=Testing Area
CN =

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 =
DNS.2 =

# Let’s name openssl now by piping the newly created file in
openssl req -new -sha256 -nodes -out * -newkey rsa:2048 -keyout * -config <( cat csr_details.txt )

Now with that I’m capable of generate correct multi-domain CSRs successfully.

Please be aware using the -sha256 choice to allow SHA256 signing as a substitute of the previous (and now undoubtedly deprecated SHA1).

See also  Red Giant Trapcode Suite, Particle Simulations & 3D Effects

Because of all our readers for all of the hints, concepts and suggestiong they gave me to enhance this publish, which apparently remains to be very helpful to a whole lot of System Directors on the market.



Go to the GitHub Difficulty to touch upon this publish.

Jon Jensen commented on October 31, 2014

Thanks, Lele. Nice to have a single command for that.

One factor I am interested in: I imagine the RFCs state that when you use a Topic Different Identify, you must provide all names as SANs, and the CN might be ignored by purchasers. If I perceive appropriately, meaning you must listing e.g. because the CN, and each and naked as SANs.

Are you able to verify or deny that?

Emanuele ‘Lele’ Calo’ commented on November 29, 2014

After some investigation I lastly discovered a correct reply.

As might be learn right here, evidently “some browsers” (sure, IE) might seek advice from this RFC strictly sufficient that in the event that they discovered a SAN area they will not think about the CN area and solely use the domains discovered within the SANs.

Whereas the unique “older” RFC did not particularly endorsed nor inspired that conduct, with the brand new RFC there was extra confusion on the right way to learn that half so some browser went that manner.

The ultimate reply is: because it’s by no means an issue to have one area in each fields (CN and SAN) however it may be an issue to have the principle area solely within the CN when utilizing SANs, it is higher to have all domains current in each fields.

For the reason that CN solely helps one area, it is common observe to place the principle area there, after which repeat it within the SAN area together with all the extra ones.

Deikensentsu commented on January 20, 2015

This doesn’t appropriately generate the x509 certificates with the v3 extensions required for correct compliance with the RFC spec.

This may be verified by producing a certificates after which doing an ‘openssl req -in yourfile.csr -noout -text’ and on the lookout for the v3 data.

I am nonetheless considering discovering a one-liner, however thus far I’ve needed to construct a openssl.cnf in response to this different weblog publish and handed it in.

Emanuele ‘Lele’ Calo’ commented on January 21, 2015

@Deikensentsu That is true.

Anyway I discovered that almost all certificates authorities are pleased with the CSR generate that manner and can create a certificates securing the correct domains (NameCheap, GoDaddy, GeoTrust, ecc..)

Anyway thanks to your enter, I will add a line within the publish textual content.

Have an incredible day.

sushil rangari commented on January 22, 2015

Hello ,

your command will not be working for me, it giving me error like beneath

Error opening Personal Key
5133:error:02001002:system library:fopen:No such file or listing:bss_file.c:352:fopen(‘’,’r’)
5133:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load Personal Key

  1. once I take away from the command ,the csr which will get genrated would not have SAN in it, that is what I acquired in CSR


on decoding above csr its giving me like beneath

Electronic mail:

Please recommend

sushil rangari commented on January 24, 2015

Hiya Emanuele,

Thanks for replying again. Sure i do have some fundamental information of Certificates Generations.

I changed the contents of the your command as my want, however the desired CSR was not generated which i wished. like specifically for SAN

I’ve added as CN and underneath

however the acquired SAN underneath e mail part


am I doing a little factor improper ? do I have to made modifications in openssl conf file as effectively ?

Please recommend .will probably be useful

Sushil R

Emanuele ‘Lele’ Calo’ commented on January 24, 2015

@sushil_rangari evidently one thing may have been improper within the command you used to generate the certificates. To be able to be of any assist I might nee to see the steps you took to create the certificates. Please create a pastebin and I will be joyful to have a look and attempt to assist.

sushil rangari commented on January 24, 2015

Hiya Emanuele,

right here is the instructions which I’m operating

  1. [root@master ~]# openssl req -new -sha256 -nodes -subj ‘/C=US/ST=New York/L=New York/O=IT/OU=Internet hosting Crew/’ >
    Producing a 1024 bit RSA personal key
    writing new personal key to ‘privkey.pem’

  1. [root@master ~]# cat
    [root@master ~]# openssl req -text -noout -verify -in
    confirm OK
    Certificates Request:
    Model: 0 (0x0)
    Topic: C=US, ST=New York, L=New York, O=IT, OU=Internet hosting Crew,
    Topic Public Key Information:

Please suggests.

Sushil R

sushil rangari commented on January 24, 2015

In my earlier command I missed DNS.1=

however after including the consequence are identical

[root@master ~]# openssl req -new -sha256 -nodes -subj ‘/C=US/ST=New York/L=New York/O=IT/OU=Internet hosting Crew/’ >
Producing a 1024 bit RSA personal key
writing new personal key to ‘privkey.pem’

[root@master ~]# openssl req -text -noout -verify -in
confirm OK
Certificates Request:
Model: 0 (0x0)
Topic: C=US, ST=New York, L=New York, O=IT, OU=Internet hosting Crew,
Topic Public Key Information:
Public Key Algorithm: rsaEncryption

Sushil R

Emanuele ‘Lele’ Calo’ commented on January 26, 2015

Hello Sushil Rangari,
That conduct you seen is identical one the opposite reader seen in saying that it is not “X509v3 compliant”, particularly which means that the SAN shall be a part of the topic area as a substitute of getting a devoted area.
As I anticipated, this isn’t a problem with most certificates supplier on the market (NameCheap, GeoTrust, GoDaddy) whereas it could be a problem when you’re coping with software program or home equipment which wants certificates to be strictly X509v3 compliant.
In that case I recommend utilizing the classical file-based SAN era strategy.


Michael Roedelbronn commented on September 23, 2015

Hello, I used to be questioning how one may use this format and in addition use a problem phrase. After I use the syntax given it doesn’t immediate for any additional data. Placing /challengePassword=…/ does not appear to work.

Andrew Leahy commented on October 14, 2015

Hello Lele,

FYI your one liner did not appear so as to add the subjectAltName to my CSR once I ran it through a CSR decoder. However this one-liner did:

openssl req -new -sha256 -key area.key -subj “/C=US/ST=CA/O=Acme, Inc./” -reqexts SAN -config <(cat /and so on/ssl/openssl.cnf <(printf “[SAN],”)) -out area.csr

Cheers, Andrew | Western Sydney Uni

Lyas Spiehler commented on October 28, 2015

I simply developed an online based mostly instrument that can generate this command for you and show the output.

Starbeamrainbowlabs – commented on June 28, 2016

Thanks – this publish is basically useful. I’d say although that utilizing “New York” for example within the openssl command itself could be very complicated – I am unable to inform the distinction between the totally different fields. Maybe it must be modified to one thing else?

Jake commented on February 10, 2017

Please replace your publish or delete it.

satish rao commented on February 15, 2017

I’m utilizing the beneath command :

openssl req -config openssl.cnf -new -key ./personal/radagast8.key -sha256 -nodes -out radagast9.csr -subj ‘/C=US/ST=Georgia/L=Dulut/O=Ericsson/OU=SV/CN=mdms-settings/

However I get an error with

Topic Attribute
emailAddress has no recognized NID, skipped
Topic Attribute
subjectAltName has no recognized NID, skipped

What did I do improper ?

Emanuele ‘Lele’ Calo’ commented on February 17, 2017

I lastly discovered a while to reply all of the questions, doubts, hints and considerations above.

Thanks all to your hints, concepts and feedback.

Phillip Odam commented on Might 12, 2017

How about simply…

./ US ‘New York’ Rochester ‘Finish Level’ ‘Testing Area’

and if you wish to make the argument dealing with versatile see

Chances are you’ll not need the argument defaults that I’ve set in however as a substitute make at the very least some arguments required

And for the…



cat > ${CSR_DETAILS} <<-EOF
default_bits = 2048
immediate = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.2 = www.${ENV::DOMAIN}

export COUNTRY=${1:-US}
export STATE=${2:-New York}
export LOCATION=${3:-Rochester}
export ORGANIZATION=${4:-Finish Level}
export ORGANIZATION_UNIT=${5:-Testing Area}
export EMAIL=${}
export DOMAIN=${}

Let’s name openssl now by piping the newly created file in

openssl req -new -sha256 -nodes -out *.${DOMAIN}.csr -newkey rsa:2048 -keyout *.${DOMAIN}.key -config ${CSR_DETAILS}


vaibhav zirmite commented on Might 17, 2017


I’ve a silly however fundamental query about SAN certificates.

Can I exploit underneath “alt_names” DNS names of various servers and totally different domains? for instance:
DNS.1 =
DNS.2 =
DNS.3 =
DNS.4 =

And use generated SAN certificates on all included servers?

BR/ Vaibhav

Emanuele ‘Lele’ Calo’ commented on Might 17, 2017

Hello vaibhav zirmite,
Sure you undoubtedly can so long as it is possible for you to to validate all of them, not essentially in a single shot.

Hello Phillip Odam,
I am evaluating including your trace, in a barely totally different model, within the unique article. Thanks for taking the time to write down it down.

Phillip Odam commented on Might 19, 2017

Hello Emanuele

No drawback, thanks to your write up because it helped with my automating a self-signed root, intermediate, leaf certificates era.


TODD TRIMMER commented on June 8, 2017

Thanks for this!

Manna Anam commented on August 8, 2017

The code might be incorrect – it all the time fails to seek out distinguished identify if not put as the primary entry underneath [req]

Tom Saleeba commented on October 16, 2017

Thanks for the helpful article. Positively a time saver.

bish0polis commented on September 30, 2018

-config <( cat csr_details.txt )

why not simply -config csr_details.txt ?

aghsmith commented on December 18, 2019

Within the command line that inputs the csr particulars file, you employ -sha256. Nonetheless, you additionally use
default_md = sha256
within the textual content of the csr particulars file.
Is that this redundant or are there various things occurring?

Leave a Reply

Your email address will not be published.