<html><head></head><body><div>Since OpenSSL 3.0,</div><div>one can use the -copy_extensions` option of openssl req to copy over any SANs contained in the CSR to the cert being created</div><div>or use <span style="font-size: 14.666667px;">-addext to directly specify extensions without the need to use a config file,</span></div><div><span style="font-size: 14.666667px;">or simply use the -x509 and -subj options to build a cert from scratch (without using a CSR) and add extensions on-the-fly, e.g., </span></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>openssl req -x509 -subj "/CN=test" -key ../prepare2/ca.key -addext "subjectAltName = IP:1.2.3.4, DNS:test.com" -out ee.crt</div><div>or use the -new option of openssl x509 to build a cert from scratch (without using a CSR) and add extensions on-the-fly, e.g., <br><span class="Apple-tab-span" style="white-space:pre"> </span>openssl x509 -new -subj "/CN=test" -key ee.key -extfile <(printf "subjectAltName = IP:1.2.3.4, DNS:test.com") -out ee.crt</div><div><br></div><div>Otherwise, as mentioned in the first answer quoted below, the classical way involves a config file - for details see the manual file.</div><div><br></div><div><span></span></div><div>Yet even <span style="font-size: 14.666667px;">with older OpenSSL versions (such as 1.1.1f) you can do without using a config file, e.g.,</span></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>openssl x509 <span style="font-size: 14.666667px;">-req</span> -signkey ee.key -in ee.req -extfile <(printf "subjectAltName = IP:1.2.3.4, DNS:test.com") -out ee.crt</div><div>or</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>openssl req -x509 -new <span style="font-size: 14.666667px;">-key ee.key</span><span style="font-size: 14.666667px;"> </span>-subj "/CN=test" -addext "subjectAltName = IP:1.2.3.4, DNS:test.com" -out ee.crt</div><div><br></div><div>HTH,</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>David</div><div><br></div><div>On Sat, 2022-05-21 at 06:45 -0400, Michael Richardson wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div><br></div><div>Henning Svane <<a href="mailto:hsv@energy.dk">hsv@energy.dk</a>> wrote:<br></div><div> > I am using OpenSSL 1.1.1f Is there a way to make a SAN certificate<br></div><div> > based on the CSR I have created in Exchange. I need a self-signed<br></div><div> > certificate for testing.<br></div><div><br></div><div>I'm not exactly sure what you think a SAN certificate is.<br></div><div>I guess one with a SubjectAltName extension. Mostly, all certificates have<br></div><div>that these days, but whether or not the Subject is entirely filled out is a<br></div><div>different question.<br></div><div><br></div><div>To form a self-signed certificate from a CSR, use openssl req.<br></div><div>You may need a configuration file, serial number, expiry and algorithm.<br></div><div>You'll need access to the private key.<br></div><div><br></div><div>See: <a href="https://datatracker.ietf.org/doc/html/draft-moskowitz-ecdsa-pki#section-4.2">https://datatracker.ietf.org/doc/html/draft-moskowitz-ecdsa-pki#section-4.2</a><br></div><div><br></div><div>Some of us maintain a document on generated test CAs for ECDSA and EDDSA<br></div><div>key types at: <a href="https://github.com/henkbirkholz/draft-moskowitz-ecdsa-pki">https://github.com/henkbirkholz/draft-moskowitz-ecdsa-pki</a><br></div><div>while it is in the form of an IETF ID, it is not intended for publication.<br></div><div><br></div><div>--<br></div><div>] Never tell me the odds! | ipv6 mesh networks [<br></div><div>] Michael Richardson, Sandelman Software Works | network architect [<br></div><div>] <a href="mailto:mcr@sandelman.ca">mcr@sandelman.ca</a> <a href="http://www.sandelman.ca/">http://www.sandelman.ca/</a> | ruby on rails [<br></div><div><br></div></blockquote></body></html>