Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Security Last updated: September 6, 2022
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Reduce SSL cost and maintenance by using a single certificate for multiple websites using SAN certificate

SAN stands for “Subject Alternative Names” and this helps you to have a single certificate for multiple CN (Common Name).

You might be thinking this is wildcard SSL but let me tell you – it’s slightly different. In the SAN certificate, you can have multiple complete CN.



I can have above all and much more in a just single certificate. This means I just have to buy one cert and use in multiple URLs.

Sounds interesting?

The creation of CSR for SAN is slightly different than traditional OpenSSL command and will explain in a while how to generate CSR for Subject Alternative Names SSL certificate.

Let’s take a look at a real-time example of, which has many SAN in a single certificate.


As you can see the above example – if you are managing multiple https URL, you may consider consolidating into single SSL Cert with SAN and save thousands of dollars.

What do you think about this?

Procedure to create CSR with SAN

  • Login into a server where you have OpenSSL installed
  • Go to /tmp or create any directory
  • Create a file named san.cnf using vi (if on Unix) with the following information
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
DNS.1   =
DNS.2   =
DNS.3   =

Note: alt_names section is the one you have to change for additional DNS.

  • Save the file and execute the following OpenSSL command, which will generate CSR and KEY file
openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf

This will create sslcert.csr and private.key in the present working directory. You have to send sslcert.csr to certificate signer authority so they can provide you a certificate with SAN.

How to verify CSR for SAN?

It will be a good idea to check if your CSR contains the SAN, which you specified above in san.cnf file.

openssl req -noout -text -in sslcert.csr | grep DNS


[root@Chandan test]# openssl req -noout -text -in sslcert.csr | grep DNS
[root@Chandan test]#

Once you are happy with the CSR, you can send it to your certificate authority to sign the certificate. Alternatively, you can buy from SSL Store.

  • Chandan Kumar
    As the founder of Geekflare, I’ve helped millions to excel in the digital realm. Passionate about technology, I’m on a mission to explore the world and amplify growth for professionals and businesses alike.
Thanks to our Sponsors
More great readings on Security
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder