To create a SelfSigned OpenSSL certificate on one line which contains subjectAltName(s) you must use
openssl req \ -newkey rsa:4096 \ -days 3650 \ -nodes \ -x509 \ -subj "/C=US/ST=Distributed/L=Cloud/O=Cluster/CN=*.api-scispike.com" \ -extensions SAN \ -config <( cat $( [[ "Darwin" -eq "$(uname -s)" ]] && echo /System/Library/OpenSSL/openssl.cnf || echo /etc/ssl/openssl.cnf ) \ <(printf "[SAN]\nsubjectAltName='DNS.1:*.api-scispike.com,DNS.2:api.scispike.com,DNS.3:app.scispike.com'")) \ -keyout private_key.pem \ -out server.crt
Looking at the output of
you should be able to see
extensions indicating our success.
$ openssl x509 -noout -certopt no_sigdump,no_pubkey -text -in server.crt Certificate: Data: Version: 3 (0x2) Serial Number: b1:93:3d:ed:5f:48:64:b4 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Distributed, L=Cloud, O=Cluster, CN=*.api-scispike.com Validity Not Before: Jun 11 00:25:48 2016 GMT Not After : Jun 9 00:25:48 2026 GMT Subject: C=US, ST=Distributed, L=Cloud, O=Cluster, CN=*.api-scispike.com X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.api-scispike.com, DNS:api.scispike.com, DNS:app.scispike.com
I came up with this solution by piecing together man pages and random google result. I was surprised at how many incomplete and inaccurate answers were out there. What may have been more surprising was the complete lack of a full intact solution.
Some examples simply output
s or require creating larger portions of
. The worst were examples which appended
. They look like they are going to work but then don't.
Inspiration for my approach came from this nearly complete answer at StackExchange: Provide subjectAltName to openssl directly on command line
. Buried near the bottom is a partial example (which i originally missed) which indicates
. This is rather an important detail considering we are trying to make a certificate not a