Create a certificate with SAN entry

Chrome 58 and up requires a certificate to have a valid subjectAlternativeName entry (SAN).

This is to conform with an 18 year old RFC describing HTTP over TLS connections.

To generate a CSR with SAN entry using OpenSSL;

  1. Create a text file “servername.cnf”¬† containing the correct CSR parameters:
  2. [ req ]
    default_bits       = 2048
    prompt = no
    default_md = sha256
    distinguished_name = req_distinguished_name
    req_extensions     = req_ext
    [ req_distinguished_name ]
    C = BE
    O = ACME
    CN = servername.acme.local
    [ req_ext ]
    subjectAltName = @alt_names
    DNS.1   = servername.acme.local
    DNS.2   = servername.acme.local
  3. Create the CSR and private key with OpenSSL using the text file
  4. openssl.exe req -out servername.csr -newkey rsa:2048 -nodes -keyout servername.key -config servername.cnf

    This will create servername.csr which has to be signed by the CA and the servername.key.

  5. When you receive the .cer/.crt/.pem in BASE64 format from the CA you can create a certificate chain in this file by adding the intermediate certificate and the root certificate in the following order:


    (Your server certificate: servername.crt)
    (Intermediate CA .crt content)
    (Root CA .crt content)

  7. If your application requires the public and private key in a single pfx file, you can combine these with:
  8. openssl.exe pkcs12 -export -out servername.pfx -inkey servername.key -in servername.crt

    This results in a servername.pfx file which is password protected.

0 thoughts on “Create a certificate with SAN entry”

Leave a Reply

Your e-mail address will not be published. Required fields are marked *