Introduction
Creating a self-signed SSL certificate is a cost-effective way to secure internal websites, development servers, or testing environments. By including the Subject Alternative Name (SAN) extension, you can secure multiple domains or subdomains with one certificate. This guide explains how to create a self-signed certificate with SAN using OpenSSL.
Step-by-Step Guide
Step 1: Generate a Private Key
Run the following command to create a private key:
openssl genrsa -out private.key 2048Step 2: Create a Configuration File for SAN
Create a configuration file (san.cnf) with the required domains:
cat > san.cnf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com
DNS.2 = blog.example.com
DNS.3 = api.example.com
EOF
Step 3: Generate a Certificate Signing Request (CSR)
Use the private key to generate a CSR:
openssl req -new -key private.key -out request.csr -subj "/CN=www.example.com" -config san.cnfStep 4: Generate the Self-Signed Certificate
Create the self-signed certificate with the SAN extension:
openssl x509 -req -in request.csr -signkey private.key -out certificate.crt -days 365 -extfile san.cnf -extensions v3_reqVerify the Certificate
Use the following command to inspect the SAN field:
openssl x509 -in certificate.crt -noout -text | grep -A 1 "Subject Alternative Name"Testing
Test the certificate with an HTTPS-enabled server (e.g., Apache or NGINX) and ensure all SAN domains work without warnings.
Conclusion
A self-signed SSL certificate with SAN is a practical solution for securing multiple domains in testing or internal environments. While not trusted by public browsers, it ensures secure communication within controlled networks. Use this method to simplify certificate management for multiple domains.
Why SAN matters please visit subject-alternative-name-san-ssl-certificate
