I know that by adding/modifying the SubjectAltName
entry in openssl.cnf
this can be achieved, but is there a way to do so without having to modify that file every time?
How to add multiple email addresses to an SSL certificate via the command line
certificatesopensslssl
Best Answer
You don't have to mess around with the
openssl.cnf
file in any way.The following command demonstrates how to generate a self-signed certificate with SAN for the email
nobody@example.com
:The trick here is to include a minimal
[req]
section that is good enough for OpenSSL to get along without its mainopenssl.cnf
file.In OpenSSL ≥ 1.1.1, this can be shortened to:
Here we are using the new
-addext
option, so we don't need-extensions
and-config
anymore.Don't forget to verify the contents of the generated certificate:
See also: https://security.stackexchange.com/a/198409/133603 and https://stackoverflow.com/a/41366949/19163