How to create a SAN certificate

David von Oheimb dev at
Sat May 21 19:43:10 UTC 2022

Since OpenSSL 3.0,
one can use the -copy_extensions` option of openssl req to copy over any
SANs contained in the CSR to the cert being created
or use -addext to directly specify extensions without the need to use a
config file,
or simply use the -x509 and -subj options to build a cert from scratch
(without using a CSR) and add extensions on-the-fly, e.g., 
 openssl req -x509 -subj "/CN=test" -key ../prepare2/ca.key -
addext "subjectAltName = IP:," -out ee.crt
or use the -new option of openssl x509 to build a cert from scratch
(without using a CSR) and add extensions on-the-fly, e.g., 
 openssl x509 -new -subj "/CN=test" -key ee.key -extfile <(printf
"subjectAltName = IP:,") -out ee.crt

Otherwise, as mentioned in the first answer quoted below, the classical
way involves a config file - for details see the manual file.

Yet even with older OpenSSL versions (such as 1.1.1f) you can do without
using a config file, e.g.,
 openssl x509 -req -signkey ee.key -in ee.req -extfile <(printf
"subjectAltName = IP:,") -out ee.crt
 openssl req -x509 -new -key ee.key -subj "/CN=test" -addext
"subjectAltName = IP:," -out ee.crt


On Sat, 2022-05-21 at 06:45 -0400, Michael Richardson wrote:
> Henning Svane <hsv at> wrote:
>     > I am using OpenSSL 1.1.1f Is there a way to make a SAN
> certificate
>     > based on the CSR I have created in Exchange.  I need a self-
> signed
>     > certificate for testing.
> I'm not exactly sure what you think a SAN certificate is.
> I guess one with a SubjectAltName extension.  Mostly, all certificates
> have
> that these days, but whether or not the Subject is entirely filled out
> is a
> different question.
> To form a self-signed certificate from a CSR, use openssl req.
> You may need a configuration file, serial number, expiry and
> algorithm.
> You'll need access to the private key.
> See: 
> Some of us maintain a document on generated test CAs for ECDSA and
> key types at: 
> while it is in the form of an IETF ID, it is not intended for
> publication.
> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        | network
> architect  [
> ]     mcr at        |   ruby on
> rails    [
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the openssl-users mailing list