Creating a Subject Alternative Name (SAN) Certificate


This guide uses OpenSSL. Regardless of what you’re installing the SSL on, OpenSSL is typically the easiest way to create a certificate signing request (CSR) for an SSL. Most systems with a terminal should already have OpenSSL, all you need to do is follow these instructions.

If you’re using Windows you will need to manually import the private key, or create the SAN CSR using their utilities. You can follow our Windows CSR guide if you need help creating a SAN CSR on Windows.

Make sure to add the SANs “Alternative Names” during the Certificate Properties step.

What is a SAN Certificate

SAN stands for “Subject Alternative Name” and is an SSL certificate which allows multiple hostnames to be protected by a single certificate. For example, If I wanted to cover mydomain.com and www.mydomain.com with a single certificate, I would create a SAN Certificate Signing Request (CSR) with both mydomain.com and www.mydomain.com listed.

Which No-IP SSLs Support SAN SSLs

All of our SSLs support SANs for the common name and a www subdomain of the common name. If you want additional hostnames covered by the SSL, then you’ll need another SSL. If you need to cover multiple subdomains of your common name, you may want to consider our RapidSSL Wildcard DV that allows the SSL to cover an unlimited amount.

Generating a Private Key

To make it easier to locate the .key and .csr files all of these commands are executed from the home directory. To get to your home directory, enter either “cd” or “cd ~” into the command-line.

Enter the following command in the terminal to generate a private key (replace “mydomain.com” with your domain or hostname):

openssl genrsa -out mydomain.com.key 2048

To view the .key file enter “ls” into the command-line which will display your current files and directories. The .key file will look similar to “mydomain.com.key” with “mydomain.com” replacing the domain or hostname you entered in the initial command.

Creating an OpenSSL Config File

Enter the following command:

nano mydomain.com.cnf

You can replace “mydomain.com” with your domain or hostname. You’ll then be prompted to enter your account password. This will open a basic text editor within terminal for you to create the config file.

Next, Copy the following text and replace it with your information. “mydomain.com” needs to be replaced with your domain or hostname. For bolded items, enter in your own corresponding information. 

 

[ req ]

default_bits = 2048

encrypt_key = no

default_md = sha256

utf8 = yes

string_mask = utf8only

prompt = no

distinguished_name = req_distinguished_name

req_extensions = req_ext

[ req_distinguished_name ]

countryName = US

stateOrProvinceName = NV

localityName = Reno

organizationName = My Organization

organizationalUnitName = IT

commonName = mydomain.com

[ req_ext ]

subjectAltName = @alt_names

[ alt_names ]

DNS.1 = mydomain.com

DNS.2 = www.mydomain.com

Now paste it in your terminal. You can save the file with the “CTRL+X” shortcut followed by “y” when prompted to save. Next, hit “Enter” to save with the current file name.

If you’re submitting the CSR for a Wildcard SSL, you don’t need to add the sub-domains as SANs. You only need to add your root domain (mydomain.com) as a SAN.

Generating the CSR

You are now ready to generate the CSR. Run this command in terminal to generate the CSR (Replace “mydomain.com” with your domain or hostname):

openssl req -new -sha256 -out mydomain.com.csr -key mydomain.com.key -config mydomain.com.cnf

To view and copy the CSR enter “ls” in the command-line which will display all files and directories. The CSR will be displayed as “mydomain.com.csr” which you can view by entering the following command:

nano mydomain.com.csr

Next Steps

If you need the next steps for obtaining and installing your SSL, check out our SSL Receiving and Installation guide.