This documentation contains the complete set of commands to create a new OpenSSL self-signed
certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included in a
certificate by adding each domain as a comma-delimited string. Each key can be encrypted or unencrypted,
with multiple encryption options; AES (aes128
or aes256
) is recommended.
Optional verification can also be performed between multiple levels of certificates to ensure the chain
of trust is valid.
This documentation is also available in portable AsciiDoc format in my documentation source code repository.
openssl x509 -in <CA certificate name>.pem -out
<CA certificate name>.pem -outform PEM
openssl verify -CAfile <CA certificate name>.pem
<intermediate CA certificate name>.pem
openssl genrsa <encryption type> -out
<server key name>.pem <key size>
openssl rsa -noout -text -in <server key name>.pem
openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>"
-addext "subjectAltName = DNS.1:<alternative DNS entry>" -key
<server key name>.pem -out
<server certificate signing request name>.pem
openssl x509 -sha256 -req -days <days of validity> -in
<server certificate signing request name>.pem -CA
<intermediate CA certificate name>.pem -CAkey
<intermediate CA key name>.pem -extensions SAN -extfile <(cat
/etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out
<server certificate name>.pem
openssl x509 -noout -text -in <server certificate name>.pem
openssl verify -CAfile <intermediate CA certificate name>.pem
<server certificate>.pem