• Home
  • |
  • Blog
  • |
  • How To Generate A CSR For A Multi-Domain SSL Certificate Using OpenSSL?
How to Generate a CSR for Multi-Domain SSL Certificates

In general, SSL certificates are used to validate a single domain. However, some practical requirements force you to think about securing multiple domains with a single certificate. If you are a beginner, you are searching for the solution to this problem. Then you are at the right place. The short answer to this is, yes, you can secure multiple domains with a single certificate. To acquire an SSL certificate that secures multiple domains, you should generate a CSR (Certificate Signing Request) for your multi-domain certificate to submit to the CA to sign. After you read this post, you will be in a position to answer how to generate a CSR for a multi-domain SSL certificate using OpenSSL.

Before you go ahead, we encourage you to learn about the different types of certificates if you have time.

What Is A Multi-Domain/SAN Certificate?

Multi-domain certificates are certificates that can be used to validate more than one domain name. They are also known by two other names. 1. UCC, which stands for “unified communication certificate,” and 2. SAN (which stands for “subject alternative name”) certificates.

Well, suppose you ever created a Certificate Signing Request for a single domain certificate. In that case, you might be aware of the ‘common name’ field, which contains a Fully Qualified Domain Name (FQDN) for which the certificate is created. Well, if you think you will have multiple common names in a single SSL certificate, you are wrong. You will have only one common name, which is the primary domain of the certificate. In addition to that, you will have multiple Subject Alternative Names (SAN) or Alt Name or DNS Name in the certificate. Each SAN will serve as a common name. That’s why it is also called SAN certificate.

Let’s see an example of a multi-domain or SAN certificate:

If you create a certificate with this information, the certificate will secure all four domains. The same certificate can be used for any of the four domains.

CN (Common Name) = example.com
DNS 1 = www.example.com
DNS 2 = mydomain.com
DNS 3 = exampledomain.com

What Is The Maximum Number Of SAN Are Allowed In A SSL Certificate?

Different Certificate Authorities have specified different maximum limits. Windows Certificate Authority has set the limit up to 4 Kb. However, RFC5280 Section 4.2.1. doesn’t specify the maximum limit. the range is defined as 1…MAX. The value of MAX is not specified.

How To Generate A CSR for Multi-Domain SSL Certificates?

Let’s see how to generate a CSR for the certificate, which can be used to secure multiple domains. Let learn how to add multiple SAN or DNS, or Alt Names to the CSR using OpenSSL.

Time needed: 15 minutes.

How to add multiple SAN or DNS, or Alt Names to the CSR using OpenSSL?

  1. Create a copy of OpenSSL config file

    Create a copy of the existing config file. The existing OpenSSL config file will be at /etc/ssl/openssl.cnf or /usr/lib/ssl/openssl.cnf.

    Use the cp command to take a copy of the config file:

    # cp /etc/ssl/openssl.cnf /home/arunkl/multi-domain-site/



    Create an copy of OpenSSL config file

  2. Edit the config file and enable [ v3_req ]

    Use your choice of editors to edit the config file. We use nano in this demonstration.

    # nano /home/arunkl/multi-domain-site/openssl.cnf

    Look for the [ req ] section. Uncomment the following line: If you don’t see the line, add it under the [ req ]. This will direct OpenSSL to read the [ v3_req ] section.

    req_extensions = v3_req


    Edit the OpenSSL config file

  3. Enable SubjectAltName under [ v3_req ] section

    Scroll down until you see [ v3_req ] and add the following line: This will direct the config file to read alt names.

    subjectAltName = @alt_names


    Enable SubjectAltName

  4. Add Alt Name or SAN names in the config file

    Create a new section [ alt_names ] at the bottom of the config file. Add SAN or DNS or Alt names like this.

    [ alt_names ]
    DNS.1 = www.exampledomain.com
    DNS.2 = exampledomain.com
    DNS.3 = thesecmaster.local
    DNS.4 = mydomain.local

    Note: Do not add the domain name used in the common name field again.

    Now you are done with the creation of the config file. Hit Ctrl + o to save the config file and Ctrl + x to exit.


    Add Alt Name or SAN names to the CSR

  5. Generate the private key

    Run this command to create a private key for your certificate. Do not use a passphrase as Nginx will have to use this private key.

    # openssl genrsa -out example.com.key 2048



    Create private key using OpenSSL

  6. Generate the CSR for multi-domain or SAN certificate

    Create the CSR importing the private key and the config file created in the previous sections.

    # openssl req -new -key example.com.key -out example.com.csr -config example.com.cnf


    Generate the CSR for multi-domain or SAN certificate

  7. Test the CSR

    Test the CSR with the following command:

    # openssl req -in example.com.csr -noout -text

    The CSR is ready to submit to the Certificate Authority.

    How to decode the CSR using openssl

This is how you can generate a CSR for a multi-domain SSL certificate.

Thanks for reading the tutorial post. Please let us know if you have any difficulties in generating a CSR for a multi-domain SSL certificate. Follow us on Facebook, LinkedIn, Twitter, Telegram, Tumblr, and Medium.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.