Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed | Gopher

OpenSSL generate self signed certificate with SAN in one command (subject alternative name)

Published: 14-10-2022 22:02 | Author: Remy van Elst | Text only version of this article


Table of Contents


This small one liner lets you generate an OpenSSL self signed certificate with both a common name and a Subject Alternative Name (SAN). Most guides online require you to specify a separate config file but this guide uses a bash trick (process substitution) to pass such a config file to OpenSSL via the command line. If you are using OpenSSL 1.1.1 or higher, there now finally is a built in command line option which I'll also cover.

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

The reason for such a one liner is that I was playing around with a docker registry web GUI that complained that my self signed certificate used an old style CN (common name) and not the SAN field. It appeared to be an underlying Go warning. So I had to regenerate my self signed certificate with a Subject Alternative Name next to a common name. Since I was toying around, I didn't want to save a bunch of unrelated config files. Just make me a sandwich, err, certificate.

I often write about OpenSSL. You can see all my OpenSSL articles here. I've also made a convenient OpenSSL command generator which generates a command for you to execute whenever you need a certificate.

Generate Self Signed Certificate with SAN

If you are using OpenSSL 1.1.1 or higher you can simply use the -addext "subjectAltName = parameter like so:

openssl req -nodes -x509 -sha256 -newkey rsa:4096 \
  -keyout example.org.key \
  -out example.org.crt \
  -days 356 \
  -subj "/C=NL/ST=Zuid Holland/L=Rotterdam/O=ACME Corp/OU=IT Dept/CN=example.org"  \
  -addext "subjectAltName = DNS:localhost,DNS:example.org" 

Replace example.org with your domain name. If you use an IP address, prefix it with IP: instead of DNS:.

If you use an older version of OpenSSL, you can use bash process substitution to provide an OpenSSL config file directly without saving that file anywhere:

openssl req -nodes -x509 -sha256 -newkey rsa:4096 \
  -keyout example.org.key \
  -out example.org.crt \
  -days 356 \
  -subj "/C=NL/ST=Zuid Holland/L=Rotterdam/O=ACME Corp/OU=IT Dept/CN=example.org" \
  -extensions san \
  -config <( \
  echo '[req]'; \
  echo 'distinguished_name=req'; \
  echo '[san]'; \
  echo 'subjectAltName=DNS:localhost,DNS:example.org')

In the last line, do not forget to add 'DNS:' in front of your hostname. Otherwise you will receive a vague error message regarding the SAN extension not being found.

Tags: ca , certificate , openssl , pki , san , ssl , tls , tutorials