Home

Certificate for multiple domains

How to request a certficate with multiple DNS names ?

To request a certificate which includes more than one FQDN (fully qualified domain name), you need to create a specially formatted CSR with more than one commonName (CN) in its subject.

Unix

In Unix the specially formatted CSR can be generated using OpenSSL.

Using OpenSSL configuration file

Edit the "/etc/ssl/openssl.cnf" file, this may vary depending on the Unix distribution

openssl.cnf
[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha1
distinguished_name = dn

[ dn ]
C = IE
O = Official name of your institution
0.CN = First FQDN of your server
1.CN = Second FQDN of your server
2.CN = Third FQDN of your server
# ... add as much as you need

The principal FQDN should appear as the first CN (0.CN= ) since only this one will be kept in the subject of the certificate. The other CN (including the first one) will be transfered to the subjectAltName field in the generated certificate.

There is also the option of CSR generation with specfic openssl
parameters (-subj switch). This is useful if the key pair has already be generated.

Command Line examples

Servers with existing private key

openssl req -new -key myserver.key -subj "/C=IE/O=inst_name/CN=first_fqdn/CN=second_fqdn/CN=third_fqdn" -text

Create private key and CSR with multiple CN names

openssl req -new -newkey rsa:2048 -keyout myserver.key -subj "/C=IE/O=inst_name/CN=first_fqdn/CN=second_fqdn/CN=third_fqdn" -text