Actually I wanted to cover this topic in the previous post, but somehow have missed it.
Using the mentioned one liner can lead to typos and/or some strange behaviour on the CA side, especially when using a Windows-CA.
To circumvent this issues, I mentioned “a specially designed *.conf file” which I’d like to elaborate today.
Following steps are necessary:
Create a file “req.conf” in etc/ssl/ (Ubuntu 14.04, pathes may vary) with the following content:

distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
C = $YourTLD
ST = $YourState
L = $YourCity
O = $YourCompany
OU = $YourDepatment
CN = $YourCName (e.g.
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
DNS.1 = *
DNS.2 =
DNS.3 = www.*

Essentially, these are the information provided by the “-subj section” in last weeks one liner.
Now you can generate a key:

openssl genrsa -out 4096

and use your new key and the req.conf file to generate a CSR, which, as usually can be fed into your local CA.

openssl req -new -out -key -config req.conf -sha256

This *.conf file can be used as a template for other C/altNames as well and is, in my eyes, more lucid than a one liner.

Tim Albert
Tim Albert
Systems Engineer

Tim kommt aus einem kleinen Ort zwischen Nürnberg und Ansbach, an der malerischen B14 gelegen. Er hat in Erlangen Lehramt und in Koblenz Informationsmanagement studiert, wobei seine Tätigkeit als Werkstudent bei IDS Scheer seinen Schwenk von Lehramt zur IT erheblich beeinflusst hat. Neben dem Studium hat Tim sich außerdem noch bei einer Werkskundendienstfirma im User-Support verdingt. Blerim und Sebastian haben ihn Anfang 2016 zu uns ins Managed Services Team geholt, wo er sich nun insbesondere...