Certificate for multiple domains
How to request a certficate with multiple DNS names ?
To request a certificate which includes more than one FQDN (fully qualified domain name), you need to create a specially formatted CSR with more than one commonName (CN) in its subject.
In Unix the specially formatted CSR can be generated using OpenSSL.
Using OpenSSL configuration file
Edit the "/etc/ssl/openssl.cnf" file, this may vary depending on the Unix distribution
[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha1
distinguished_name = dn
[ dn ]
C = IE
O = Official name of your institution
0.CN = First FQDN of your server
1.CN = Second FQDN of your server
2.CN = Third FQDN of your server
# ... add as much as you need
The principal FQDN should appear as the first CN (0.CN= ) since only this one will be kept in the subject of the certificate. The other CN (including the first one) will be transfered to the subjectAltName field in the generated certificate.
There is also the option of CSR generation with specfic openssl
parameters (-subj switch). This is useful if the key pair has already be generated.
Command Line examples
Servers with existing private key
openssl req -new -key myserver.key -subj "/C=IE/O=inst_name/CN=first_fqdn/CN=second_fqdn/CN=third_fqdn" -text
Create private key and CSR with multiple CN names
openssl req -new -newkey rsa:2048 -keyout myserver.key -subj "/C=IE/O=inst_name/CN=first_fqdn/CN=second_fqdn/CN=third_fqdn" -text