OpenSSL: Create CSR for certificate with additional Subject Alternative Name(s) (Windows)

Procedure to create CSR with SAN (Windows)

  • Login into server where you have OpenSSL installed (or download it here)
  • Go to the directory where openssl is located (on Windows)
  • Create a file named sancert.cnf  with the following information
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = Country Name (NL)
stateOrProvinceName         = State or Province Name (ZH)
localityName               = Locality Name (AADR)
organizationName           = Organization Name (WGE)
commonName                 = Common Name (e.g. server FQDN)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = sslcert.wesleygeelhoed.nl
DNS.2   = dns2.com
DNS.3   = dns3.com

* You can add even more subject alternative names if you want. Just add DNS.4 = etcetera…

  • Save the file and execute following OpenSSL command, which will generate CSR and KEY file
openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config sancert.cnf

This will create sslcert.csr and private.key in the present working directory. Request your certificate with the created CSR and you’re all set!

11 comments

      1. Yes, I am. The command successfully takes all the inputs configured in the file but fails at the end.

        Like

      2. The only advise I can give you is maybe try to reinstall openssl or run it from another system where it is installed. The config file from the blog is 100 percent correct and it should work. I used it many many times!

        Like

    1. I had the exact same thing; on Github i came accross a solution that helped:

      I just went through this same issue. While the command ran I was seeing prompts like “US[]:” and I was just hitting enter because the values I wanted were in the file.

      I added the line prompt=no to the [req] section and my request ran without error. like this:

      [req]
      prompt = no

      Hope this helps!

      Like

  1. i am also getting the same error.

    C:\Program Files (x86)\GnuWin32\src\openssl\0.9.8h\openssl-0.9.8h\out>openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout
    private.key -config sancert.cnf
    error on line -1 of sancert.cnf
    424:error:02001002:system library:fopen:No such file or directory:./crypto/bio/bss_file.c:126:fopen(‘sancert.cnf’,’rb’)
    424:error:2006D080:BIO routines:BIO_new_file:no such file:./crypto/bio/bss_file.c:129:
    424:error:0E078072:configuration file routines:DEF_LOAD:no such file:./crypto/conf/conf_def.c:197:

    Like

    1. Reehan,

      This problem looks slightly different. It looks like it is not able to find the sancert.cnf config file. I tested the config file from my website with the OpenSSL version you are running and it works like a charm. Maybe try to define the exact path for the configuration file.

      Regards,

      Wesley

      Like

  2. Thank you very much for sharing this clean & easy way to generate a fully qualified CSR including SAN on Windows!
    I googled quite a which before stumbling across your blog and this is by far the simplest way to get the job done without and extra bells & whistles. 😉

    All the best to you, your family and also your beautiful dogs!

    Like

Leave a Reply to David Franken Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s