top of page
  • Mark

How to create a CSR with SAN's in Windows


I used this procedure on a Windows box that was running Apache 2.2, and had the certificate files stored in the Apache conf folder.


When working with SAN's (aka Subject Alternate Names), OpenSSL is your friend. This should be installed under your Apache folder under the following location:


C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\openssl.exe


Not that when using openssl on Windows, you may need to set the following environment variable, so windows can locate your openssl config file. Use the path that is appropriate for your setup. This was where the config file was in my case:

set "OPENSSL_CONF=C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\openssl.cnf"

When ready to create the CSR, open a command prompt and perform the following steps:

  • Go to the directory where openssl is located

  • Create a file named sancert.cnf and copy in the following text

  • Edit the fields as per your requirements and save the file.

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = GB
stateOrProvinceName         = London
localityName               = City of London
organizationName           = MyCompany
commonName                 = myserver.co.uk
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = friendlyname1.com
DNS.2   = friendlyname2.co.uk
DNS.3   = friendlyname3.net

Now run the following OpenSSL command. This will generate the CSR and KEY file

openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config sancert.cnf

This will create sslcert.csr and private.key in the current directory. Note that the -nodes switch actually means "No DES".


You can verify the SAN's are present in your CSR with the following command

openssl req -noout -text -in sslcert.csr | find "DNS"

Now request your certificate via your usual CA provider with the newly created CSR, re-import your certificate, and you’re done!



15 views0 comments

Comments


bottom of page