• Home
  • |
  • Blog
  • |
  • How To Generate A CSR For A Multi-Domain SSL Certificate Using OpenSSL?
How to Generate a CSR for Multi-Domain SSL Certificates

In general, SSL certificates are used to validate a single domain. However, some practical requirements force you to think about securing multiple domains with a single certificate. If you are a beginner, you are searching for the solution to this problem. Then you are at the right place. The short answer to this is, yes, you can secure multiple domains with a single certificate. To acquire an SSL certificate that secures multiple domains, you should generate a CSR (Certificate Signing Request) for your multi-domain certificate to submit to the CA to sign. After you read this post, you will be in a position to answer how to generate a CSR for a multi-domain SSL certificate using OpenSSL.

Before you go ahead, we encourage you to learn about the different types of certificates if you have time.

What Is A Multi-Domain/SAN Certificate?

Multi-domain certificates are certificates that can be used to validate more than one domain name. They are also known by two other names. 1. UCC, which stands for “unified communication certificate,” and 2. SAN (which stands for “subject alternative name”) certificates.

Well, suppose you ever created a Certificate Signing Request for a single domain certificate. In that case, you might be aware of the ‘common name’ field, which contains a Fully Qualified Domain Name (FQDN) for which the certificate is created. Well, if you think you will have multiple common names in a single SSL certificate, you are wrong. You will have only one common name, which is the primary domain of the certificate. In addition to that, you will have multiple Subject Alternative Names (SAN) or Alt Name or DNS Name in the certificate. Each SAN will serve as a common name. That’s why it is also called SAN certificate.

Let’s see an example of a multi-domain or SAN certificate:

If you create a certificate with this information, the certificate will secure all four domains. The same certificate can be used for any of the four domains.

CN (Common Name) = example.com
DNS 1 = www.example.com
DNS 2 = mydomain.com
DNS 3 = exampledomain.com

What Is The Maximum Number Of SAN Are Allowed In A SSL Certificate?

Different Certificate Authorities have specified different maximum limits. Windows Certificate Authority has set the limit up to 4 Kb. However, RFC5280 Section 4.2.1. doesn’t specify the maximum limit. the range is defined as 1…MAX. The value of MAX is not specified.

How To Generate A CSR for Multi-Domain SSL Certificates?

Let’s see how to generate a CSR for the certificate, which can be used to secure multiple domains. Let learn how to add multiple SAN or DNS, or Alt Names to the CSR using OpenSSL.

Time needed: 15 minutes.

How to add multiple SAN or DNS, or Alt Names to the CSR using OpenSSL?

  1. Create a copy of OpenSSL config file

    Create a copy of the existing config file. The existing OpenSSL config file will be at /etc/ssl/openssl.cnf or /usr/lib/ssl/openssl.cnf.

    Use the cp command to take a copy of the config file:

    # cp /etc/ssl/openssl.cnf /home/arunkl/multi-domain-site/



    Create an copy of OpenSSL config file

  2. Edit the config file and enable [ v3_req ]

    Use your choice of editors to edit the config file. We use nano in this demonstration.

    # nano /home/arunkl/multi-domain-site/openssl.cnf

    Look for the [ req ] section. Uncomment the following line: If you don’t see the line, add it under the [ req ]. This will direct OpenSSL to read the [ v3_req ] section.

    req_extensions = v3_req


    Edit the OpenSSL config file

  3. Enable SubjectAltName under [ v3_req ] section

    Scroll down until you see [ v3_req ] and add the following line: This will direct the config file to read alt names.

    subjectAltName = @alt_names


    Enable SubjectAltName

  4. Add Alt Name or SAN names in the config file

    Create a new section [ alt_names ] at the bottom of the config file. Add SAN or DNS or Alt names like this.

    [ alt_names ]
    DNS.1 = www.exampledomain.com
    DNS.2 = exampledomain.com
    DNS.3 = thesecmaster.local
    DNS.4 = mydomain.local

    Note: Do not add the domain name used in the common name field again.

    Now you are done with the creation of the config file. Hit Ctrl + o to save the config file and Ctrl + x to exit.


    Add Alt Name or SAN names to the CSR

  5. Generate the private key

    Run this command to create a private key for your certificate. Do not use a passphrase as Nginx will have to use this private key.

    # openssl genrsa -out example.com.key 2048



    Create private key using OpenSSL

  6. Generate the CSR for multi-domain or SAN certificate

    Create the CSR importing the private key and the config file created in the previous sections.

    # openssl req -new -key example.com.key -out example.com.csr -config example.com.cnf


    Generate the CSR for multi-domain or SAN certificate

  7. Test the CSR

    Test the CSR with the following command:

    # openssl req -in example.com.csr -noout -text

    The CSR is ready to submit to the Certificate Authority.

    How to decode the CSR using openssl

See Also  How to Fix 5 Vulnerabilities in NETGEAR RAX30 Router?

This is how you can generate a CSR for a multi-domain SSL certificate.

Thanks for reading the tutorial post. Please let us know if you have any difficulties in generating a CSR for a multi-domain SSL certificate. Follow us on Facebook, LinkedIn, Twitter, Telegram, Tumblr, and Medium.

Frequently Asked Questions:

1. What is a CSR (Certificate Signing Request)?

A CSR is a block of encoded text that contains information about the entity applying for an SSL certificate. It is generated on the server where the SSL certificate will be installed and includes the public key of the server. The CSR is submitted to a Certificate Authority (CA) for validation and issuance of the SSL certificate.

2. What is a multi-domain SSL certificate?

A multi-domain SSL certificate, also known as a SAN (Subject Alternative Name) or UCC (Unified Communications Certificate), allows multiple domain names to be secured under a single SSL certificate. It simplifies certificate management by consolidating the security of different domains, subdomains, or IP addresses into one certificate.

3. What is OpenSSL?

OpenSSL is a widely-used open-source toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It is also a general-purpose cryptography library that provides cryptographic functionality, such as the ability to generate CSRs and SSL certificates.

4. Can I use OpenSSL to generate a CSR for a multi-domain SSL certificate?

Yes, you can use OpenSSL to generate a CSR for a multi-domain SSL certificate. The provided guide demonstrates the step-by-step procedure to create a CSR using OpenSSL that includes multiple domain names.

5. What information do I need to provide when generating a CSR?

When generating a CSR, you need to provide the following information:


1. Common Name (CN): The primary domain you want to secure (e.g., example.com)
2. Organization Name (O): The full legal name of your organization
3. Organizational Unit (OU): The department or division within your organization responsible for the certificate
4. Locality Name (L): The city or locality where your organization is located
5. State or Province Name (ST): The state or province where your organization is located
6. Country Name (C): The two-letter country code where your organization is based

7. Can I use a wildcard domain in a multi-domain SSL certificate?

Yes, you can use a wildcard domain in a multi-domain SSL certificate. A wildcard domain allows you to secure all subdomains under a primary domain (e.g., *.example.com will cover blog.example.com, shop.example.com, etc.). When generating a CSR for a multi-domain SSL certificate, specify the wildcard domain as one of the SAN entries.

8. How do I submit the generated CSR to a Certificate Authority (CA)?

After generating the CSR using OpenSSL, you can submit it to a CA of your choice. The submission process may vary depending on the CA, but typically involves creating an account, selecting the type of SSL certificate you want to purchase, and pasting the CSR into a designated field during the ordering process.

9. How do I install the multi-domain SSL certificate on my server after receiving it from the CA?

After receiving the multi-domain SSL certificate from the CA, you need to install it on your server. The installation process depends on the web server software you are using (e.g., Apache, Nginx, IIS). Refer to the documentation specific to your web server for detailed installation instructions.

10. Can I add or remove domain names from my multi-domain SSL certificate after it has been issued?

Yes, you can add or remove domain names from your multi-domain SSL certificate after it has been issued. However, you will need to go through the following steps:


1. Generate a new CSR that includes the updated list of domain names you want to secure.
2. Submit the new CSR to your Certificate Authority (CA) to reissue the SSL certificate with the updated domain list.
3. Reinstall the reissued SSL certificate on your server, following the installation instructions specific to your web server software.


Keep in mind that you may need to repeat the domain validation process for any newly added domain names, and the reissue process may incur additional fees depending on your CA’s policies.

11. Can I use a multi-domain SSL certificate on multiple servers?

Yes, you can use a multi-domain SSL certificate on multiple servers, provided that the servers are hosting the domain names specified in the SSL certificate. To do so, you will need to install the certificate and the associated private key on each server.

12. How long is a multi-domain SSL certificate valid?

The validity period of a multi-domain SSL certificate can vary depending on the Certificate Authority (CA) and the specific certificate type. However, most multi-domain SSL certificates have a maximum validity period of two years. Keep in mind that you will need to renew the SSL certificate before it expires to maintain the security of your domain names.

13. What are the benefits of using a multi-domain SSL certificate?

Some benefits of using a multi-domain SSL certificate include:


1. Simplified certificate management: You can secure multiple domain names, subdomains, or IP addresses with a single certificate, reducing the administrative overhead of managing multiple SSL certificates.
2. Cost savings: Purchasing a multi-domain SSL certificate can be more cost-effective than buying individual SSL certificates for each domain name.
3. Flexibility: You can easily add or remove domain names from your multi-domain SSL certificate as needed, allowing you to adapt to changes in your organization’s online presence.
4. Improved security: By using a single SSL certificate for multiple domains, you can streamline the process of ensuring that all your domain names are encrypted and secure.

See Also  What is There in The Verizon's Data Breach Investigations Report- 2023
14. How do I renew a multi-domain SSL certificate?

To renew a multi-domain SSL certificate, you will need to follow these steps:


1. Generate a new CSR (Certificate Signing Request) for the domain names you want to secure. Ensure that the CSR includes all the domain names that were part of the original certificate and any new ones you want to add.
2. Submit the new CSR to your Certificate Authority (CA), requesting a renewal of your existing multi-domain SSL certificate.
3. Complete the domain validation process for each domain name included in the certificate, as required by the CA.
4. Once the CA has issued the renewed certificate, install it on your server, following the specific installation instructions for your web server software.
5. Verify that the renewed certificate is functioning correctly by checking the secure connections for each domain name.

15. What happens if my multi-domain SSL certificate expires?

If your multi-domain SSL certificate expires, web browsers and other clients connecting to your domain names will display a security warning, indicating that the connection is not secure. This can lead to a loss of trust from your visitors and potentially result in lost sales or conversions. To avoid this, it is essential to monitor your SSL certificate’s expiration date and renew it before it expires.

16. Can I transfer a multi-domain SSL certificate from one Certificate Authority (CA) to another?

Transferring a multi-domain SSL certificate from one CA to another is not possible. If you want to switch CAs, you will need to purchase a new multi-domain SSL certificate from the desired CA and go through the domain validation process again. Once you have the new certificate, install it on your server and replace the existing certificate from the previous CA.

17. Can I upgrade a single-domain SSL certificate to a multi-domain SSL certificate?

Upgrading a single-domain SSL certificate to a multi-domain SSL certificate is not possible. Instead, you will need to purchase a new multi-domain SSL certificate, generate a CSR that includes all the domain names you want to secure, and submit it to your Certificate Authority (CA). After completing the domain validation process and receiving the multi-domain SSL certificate, you can install it on your server, replacing the single-domain SSL certificate.

18. How many domain names can a multi-domain SSL certificate secure?

The maximum number of domain names that a multi-domain SSL certificate can secure varies depending on the Certificate Authority (CA) and the specific certificate product. Typically, a multi-domain SSL certificate can secure between 25 and 100 domain names. Some CAs offer the option to add more domain names through the purchase of additional Subject Alternative Name (SAN) slots.

About the author

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience spanning IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

To know more about him, you can visit his profile on LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked

  1. Hi everyone!

    can you please help me with below error

    openssl req -new -key example.com.key -out example.com.csr -config example.com.cnf
    error on line -1 of example.com.cnf
    139956674074512:error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen('example.com.cnf','rb')
    139956674074512:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:182:
    139956674074512:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:195:

    I followed the steps as mentioned
    but when I try to run 6th step facing this error

    1. Hi Shenba,

      Try this command:
      openssl req -new -key example.com.key -out example.com.csr -config opnssl.cnf.

      The error shows that there is no such file exist by the name “example.com.cnf”.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.