How to create CSR with multiple SANs

Sometime you would like to include SAN (Subject Alternative Name) to your certificate. SAN is a specific type of SSL that allows you to secure multiple domains/subdomains with just one SSL.

However VMware tool /usr/lib/vmware-vmca/bin/certificate-manager have no option to add SANs.

The solution for this is to not use certificate manager from VMware to create CSR, but use req.conf file.

Runlist:

  1. SSH to your vCenter server
  2. Create new file named req.conf
  3. Paste this code:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = your_country
ST = state
L = City
O = Organization
OU = OrgUnit
CN = dns_name.your.domain.com

[v3_req]
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = dns_name.your.domain.com
  1. Edit only (Do not change anything else!):
    • C
    • ST
    • L
    • O
    • OU
    • CN
    • DNS.1
  1. If you want multiple SANs add more DNS entries after DNS.1

DNS.1 = dns_name.your.domain.com
DNS.2 = dns_name2.your.domain.com
DNS.3 = dns_name3.your.domain.com

  1. Save the file – name has to be req.conf
  2. Run this command to request CSR:
openssl req -new -out request_name.csr -newkey rsa:2048 -nodes -sha256 -keyout request_name.key -config req.conf

How to create a certificate from this CSR please read this article – > https://angrysysops.com/2021/09/09/how-to-renew-certificates-for-vcenter-6-x/

BONUS:

If you need for same reason to convert your certificate to PEM format:

openssl x509 -in mycert.crt -out mycert.pem -outform PEM

Please like and share to spread the knowledge in the community.

Let’s chat on Twitter: https://twitter.com/AngrySysOps

Visit my FB page: https://www.facebook.com/AngrySysOps

Subscribe to my YouTube channel: https://www.youtube.com/channel/UCRTcKGl0neismSRpDMK_M4A

Please leave the comment