SSL Certificate with SAN Extensions

I keep forgetting how to do this, so I’m putting it here for my own edification.  Chrome and Firefox browsers require SAN extensions for ssl certificates to be valid.  Create / request certificates with the extensions to save yourself a headache.

openssl req \
-newkey rsa:2048 \
-x509 \
-nodes \
-keyout server.key \
-new \
-out server.crt \
-subj / \
-reqexts SAN \
-extensions SAN \
-config <(cat /System/Library/OpenSSL/openssl.cnf \
<(printf '[SAN]\')) \
-sha256 \
-days 3650

The above is for MacOS, as can been seen by the openssl.cnf being in /System/Library/OpenSSL.  You can adjust this for whatever Linux distro you are using by changing that to something like:

-config <(cat /etc/ssl/openssl.cnf \

for Ubuntu 16.04.5.  Or:

-config <(cat /etc/pki/tls/openssl.cnf \

for Fedora 29 / CentOS 7.

To do a csr for a legit certificate request, create a configuration file, req.conf:

default_bits = 4096
default_md = sha256
distinguished_name = dn

req_extensions = v3_req
prompt = no
encrypt_key = no

[ dn ]
O=Example Company
OU=Example Department
[email protected]

subjectAltName = @alt_names

DNS.1 =
DNS.2 =

Then generate the csr with the following command:

openssl req -new -config req.conf -out

Note: you can use any name for the configuration file (req.conf), private key ( and csr (