How do I add multiple email addresses to an SSL certificate via the command line?

You don't have to mess around with the openssl.cnf file in any way.

The following command demonstrates how to generate a self-signed certificate with SAN for the email [email protected]:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout example.key -out example.crt -subj '/CN=Nobody' \
  -extensions san \
  -config <(echo '[req]'; echo 'distinguished_name=req';
            echo '[san]'; echo 'subjectAltName=email:[email protected]')

The trick here is to include a minimal [req] section that is good enough for OpenSSL to get along without its main openssl.cnf file.

In OpenSSL ≥ 1.1.1, this can be shortened to:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout example.key -out example.crt -subj '/CN=Nobody' \
  -addext 'subjectAltName=email:[email protected]'

Here we are using the new -addext option, so we don't need -extensions and -config anymore.

Don't forget to verify the contents of the generated certificate:

openssl x509 -noout -text -in example.crt

See also: https://security.stackexchange.com/a/198409/133603 and https://stackoverflow.com/a/41366949/19163

How do I add multiple email addresses to an SSL certificate via the command line?

Tags:

Ssl

Openssl

Certificates

Related

Recent Posts