Create certificates with multiple hostnames

To create CSRs (Certificate signing requests) for certificates with more than one domain, you must use openssl commands and a small configuration file.
If you use Mac OS X or Linux, you probably already have the openssl commands installed in your terminal, if not you can issue the commands using SSH to connect to the Management node, and use a SCP client like WinSCP to copy files to and from your PC. If this is your best choice, I recommend to create the configuration file on Windows first, before uploading.
Create a file called for example create-cert.cnf
Make sure the alt_names match all your Subject Alternate names.
alt_names must also include the common name.
The example below has as pool name, and eu-px01 and eu-pool as subject alternate names.
The below config example has default values set to fit us, but you can set your own default values if you like. This is just to save some time when actually creating the CSRs.
create-cert.cnf contents (please edit alt_names)
distinguished_name = create_certificate
req_extensions = v3_req
countryName = Country Name (2 letter code)
countryName_default = NO
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Oslo
localityName = Locality Name (eg, city)
localityName_default = Oslo
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Pexip
commonName = Certificate name (full hostname)
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
DNS.1 =
DNS.2 =
Openssl Command to create CSR based on contents of ‘create-cert.cnf':
openssl req -nodes -newkey rsa:2048 -keyout eu-px01.key -out eu-px01.csr -config create-cert.cnf
This will output two files:

Your private key, keep it safe, you will need it when uploading cert to the conference nodes. 
Send to your cert provider for him to provide a base64 PEM certificate back to you
Misc openssl commands that is useful for faultfinding:
Check certificates presented when connecting
openssl s_client -connect -showcerts

They will not appear in a very readable format, but you can see if there are more of them at least. If it is only one this must be issued directly by the Root CA.

Check contents of .csr:
openssl req -noout -text -in myCertificate.csr
Connect to a host to check if it returns  
openssl s_client -connect -showcerts
OpenSSL one-liner CSR for one domain if not using multi domains?
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out myserver.csr -subj "/C=NO/ST=Oslo/L=Oslo/O=Pexip/"
Have more questions? Submit a request


Powered by Zendesk