Self-signed OpenSSL certificates with alternative names


by ross at 03:57:35 on February 22, 2017

This is how you create a self-signed SSL certificate valid not only for single hostname but also for a number of alternative ones.

First of all create a config in temporary directory:

# cp /etc/ssl/openssl.cnf /tmp/openssl.cnf.tmp

Now append to this file the following section (replace the example domain with yours):


subjectAltName is a single line of comma-delimited values. You specify hostnames of this certificate as DNS.1, DNS.2, DNS.3, etc fields. You can also add an entry like IP: for an IP address.

Note: Although you will specify your primary hostname as your CN record, you still need to include it in altNames. I.e primary hostname should go both to CN and to altNames.

Now that we have the file generate the certfcate and key:

# openssl \
    req \
    -new \
    -newkey rsa:2048 \
    -days 3650 \
    -nodes \
    -x509 \
    -subj "/C=/ST=/L=/O=/" \
    -reqexts SAN \
    -extensions SAN \
    -config /tmp/openssl.cnf.tmp \
    -keyout "" \
    -out ""

Here C, ST, L and O certificate fields are empty which is valid but you can also set them to meaningful values if you want. CN is the primary hostname — change it to yours.

You can delete /tmp/openssl.cnf.tmp now.


In the 10.2, the exim using the "mailnull" and not the "exim" - needs change to the "pw" command.
-- jm
Monday, February 22, 2016, 17:54:21