Creating a Certificate Signing Request (CSR) with multiple Subject Alternative Names (SAN) using OpenSSL – Wait, it’s all secure? Always has been.


When you want to use digital certificates (also known als public key certificate) to establish a secure connection between computers, you will need to create a certificate signing request. A certificate is most commonly used for SSL/TLS, which is to provide confidentiality and integrity between two communicating applications.

The Subject Alternative Name (SAN or subjectAltName) is a field which allows you to define additional host names to be secured by a single certificate (also known as a Multi-Domain Certificate). For example, this can be useful when you have many domains/subdomains that needs to be secured. In terms of finances and pragmatism, you may not want to purchase different certificates as this might get expensive or having multiple certificates can be bothersome to implement.

You might be thinking, this sounds like a wildcard certificate! You’re not wrong as both type of certificates are quite similar. Both SAN and wildcard certificates allows you to secure multiple (sub)domains. However, a wildcard certificate cannot protect both and as the top-level domain (TLD) is different. A wildcard certificate only protects the primary domain (as defined in the Common Name) and any subdomains. Plus, wildcard certificates shouldn’t be used anymore since it’s deprecated as shown in section 7.2 of RFC 6125.

7.2. Wildcard Certificates This document states that the wildcard character ‘*’ SHOULD NOT be included in presented identifiers but MAY be checked by application clients (mainly for the sake of backward compatibility with deployed infrastructure).


  1. Ensure that you have the latest version of OpenSSL installed.
  2. Create a new text file using your favorite simple text editor and name it request.config.
  3. Copy the following text to the request.config file and change the C\ST\L\O\OU\CN\DNS.* attributes accordingly. Go to chapter Definitions and Examples for more information regarding these attributes.

Syntax of a request.config file:

distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
C = <countryName>
ST = <stateOrProvinceName>
L = <localityName>
O = <organizationName>
OU = <organizationalUnit>
CN = <commonName>
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
DNS.1 = <hostName>
DNS.2 = <hostName>

Example of a request.config file:

distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
C = NL
ST = Noord-Holland
L = Amsterdam
O = Identandy
OU = Public Relations
CN =
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
DNS.1 =
DNS.2 =
DNS.3 =
  1. Ensure that there aren’t any whitespaces at the beginning or the end of the lines.
  2. Start the following command to create the certificate signing request.

Syntax of an OpenSSL command to create a CSR:

openssl req -new -out <csr_file> -newkey rsa:2048 -nodes -sha256 -keyout <private_key> -config <request.config>

Example of an OpenSSL command to create a CSR:

openssl req -new -out identandy_com.csr -newkey rsa:2048 -nodes -sha256 -keyout identandy_com_private.key -config request.config
  1. After executing the OpenSSL command you will be greeted with the following message and your CSR (identandy_com.csr) and private key (identandy_com_private.key) have been created.
Generating a RSA private key
writing new private key to 'identandy_com_private.key'
  1. Start the following command to verify the certificate signing request
openssl req -text -noout -verify -in identandy_com.csr

verify OK
Certificate Request:
        Version: 1 (0x0)
        Subject: C = NL, ST = Noord-Holland, L = Amsterdam, O = Identandy, OU = Public Relations, CN =
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
        Requested Extensions:
            X509v3 Key Usage:
                Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
    Signature Algorithm: sha256WithRSAEncryption

And there you have it! That’s all you need to do to generate a CSR using OpenSSL. I hope that you have find it useful and if you have any questions leave a comment below.

Definitions and Examples

Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. The goal of confidentiality protection is to prevent or minimize unauthorized access to data. Confidentiality focuses security measures on ensuring that no one other than the intended recipient of a message receives it or is able to read it. Confidentiality protection provides a means for authorized users to access and interact with resources, but it actively prevents unauthorized users from doing so. A wide range of security controls can provide protection for confidentiality, including, but not limited to, encryption, access controls, and steganography.

Integrity is the concept of protecting the reliability and correctness of data. Integrity protection prevents unauthorized alterations of data. It ensures that data remains correct, unaltered, and preserved. Properly implemented integrity protection provides a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by authorized users (such as mistakes and oversights).

Country Name (CN) Use the two-letter country code based on ISO 3166-1 alpha-2. Example: NL

State or Province (S) Spell out the state completely; do not abbreviate the state or province name. Example: Noord-Holland

Locality or City (L) Spell out the city or town name completely; do not abbreviate the locality or city name. Example: Amsterdam

Organization (O) If the company or department has an &, @, or any other symbol, the symbol must be spelled out or omitted. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation. 

Organizational Unit (OU)  The Organizational Unit (OU) field is the name of the department or organization unit making the request.

Common Name (CN) The Common Name (CN), also known as the Fully Qualified Domain Name (FQDN), is the characteristic value within a Distinguished Name. Example:

CategoriesWindows Update

Windows Update 2020 July – DNS is as leaky as a basket

Microsoft released a patch for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0.

Let’s start with the vulnerability also known as SIGRed. According to the researcher Sagi Tzadik from Checkpoint Research, this bug existed for over 17 years and it’s an integer overflow vulnerability. What does this all mean?

The DNS service (dns.exe) in Microsoft Windows Server fails to validate a 16-bit register for a SIG Record. An attacker can exploit this and because the DNS Service runs under the SYSTEM context, remote code execution is a possibility or even granting Domain Administrator rights. The CVSS score of 10.0 means that this must be patched as soon as possible. As of writing, Microsoft confirms that the vulnerability hasn’t been exploited yet but I’m sure that this will change soon. A proof-of-concept has shown that this vulnerability can be exploited remotely through an HTTP payload to non-chromium browsers.

Affected Systems

  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core)
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core)
  • Windows Server 2012
  • Windows Server 2012 (Server Core)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core)
  • Windows Server 2016
  • Windows Server 2016 (Server Core)
  • Windows Server 2019
  • Windows Server 2019 (Server Core)
  • Windows Server version 1909 (Server Core)
  • Windows Server version 1903 (Server Core)
  • Windows Server version 2004 (Server Core)


It is highly recommended to patch the affected Windows DNS Servers to prevent the exploitation of this vulnerability as soon as possible. The July update should already been made available in Microsoft Update and WSUS. See Microsoft’s Security Update Guide for more information regarding which security update you need. A system reboot is required after installing the update.


You can define a maximum length of a DNS message over TCP in the registry. Make sure to restart the DNS Service for the registry change to take effect.

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters 
Value: TcpReceivePacketSize 
Type: DWORD 
Value data: 0xFF00

You can also do the same by running the following command in an elevated command prompt.

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f
net stop DNS && net start DNS

After applying the patch, you can remove the workaround by removing the TcpReceivePacketSize value and its corresponding data.