Security   Security – Create self signed SAN certificate with OpenSSL

This post explains how to generate self signed certificates with SAN – Subject Alternative Names using openssl. It is a common but not very funny task, only a minute is needed when using this method.

The example below generates a certificate with two SubAltNames: and

Create openssl configuration file

Create configuration file for openssh (In a Linux system, I usually set /etc/ssl/selfsigned  as working directory in which generate the config files and generated certificates…) called for example mydomain.cnf with the following parameters:

(This is not a general openssh configuration file. Only a “one-time” use)

default_bits = 2048
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn

C = ES
ST = MyState
L = MyCity
O = MyOrg
emailAddress =
CN =

subjectAltName = @alt_names

DNS.1 =
DNS.2 =

If no SAN is needed to be added, remove the red lines.
If more SAN names are needed, add more DNS lines in the [alt_names] section.

Run OpenSSL command

The command generates the certificate (-out) and the private key (-keyout) by using the configuration file (-config). The “-nodes” parameter avoids setting a password to the private key.

# openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout -days 3560 -out -config
Generating a 2048 bit RSA private key
writing new private key to ''

The generated certificate showing the SANs:
Openssl self signed certificate showing the Subject Alternative Names (SAN)

Example config in Apache:

You can use the generated certificate in any webserver.
For example to apply it in Apache, use the SSLCertificateFile and SSLCertificateKeyFile for both the cert and the private key:

<VirtualHost *:443>
  DocumentRoot "/var/www/html/myweb"
  <Directory "/var/www/html/myweb/">
    Options MultiViews FollowSymlinks
    AllowOverride All
    Order allow,deny
    Allow from all
  TransferLog /var/log/apache2/myweb_access.log
  ErrorLog /var/log/apache2/myweb_error.log

  SSLEngine on
  SSLCertificateFile /etc/ssl/selfsigned/
  SSLCertificateKeyFile /etc/ssl/selfsigned/

Leave a Reply

Your email address will not be published. Required fields are marked *