Create a SSL CSR from Command Line with Subject Alternate Name

posted 16 Jun 2015, 07:08 by Tristan Self   [ updated 16 Jun 2015, 07:09 ]
To create a CSR and include not only a CN (Common Name) but also a SAN(s) too, you can use the following process.

1. Firstly create a text file called request.inf and fill it with the following:

 ;----------------- request.inf -----------------
[Version]

Signature= $Windows NT$

[NewRequest]

Subject = "CN=host0.oaklands.ac.uk, OU=Department, O=Organisation, L=Town, S=County, C=Country" ; replace attributes in this line using example below
KeySpec = 1
KeyLength = 2048
; Can be 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
FriendlyName = vdm
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = Microsoft RSA SChannel Cryptographic Provider
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=host1.domain.com&"
_continue_ = "dns=host2.domain.com"

;-----------------------------------------------


2. Now run this command to create a CSR:

 > certreq -new request.inf certreq.txt

You can check it has the right info here: https://certlogik.com/decoder/ before sending to your CA.

3. Send this CSR to your CA, when you get the file back run the command below:

 > certreq -accept cert.cer

4. To ensure it has been added correctly, check the Certificate MMC snap-in.
Comments