Specify Subject Alternative Name when generating a self signed certificate

Question

Is there a way to get a .crt and .key file with the subject alternative name set? I am configuring a proxy with an openssl .crt and .key generated by this command

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout proxy.key -out proxy.crt

I then cat the .key and .crt to get a .pem and use that on the client side. This cert works fine for securing the https connection but I get a warning that the Subject Alternative Name is not set in the certificate. In another client I use the warning is actually an error that terminates the connection.

The solution here https://security.stackexchange.com/a/91556 gives me a .csr which I rename to become the .crt I need, and when I use this with the client the https connection fails on incorrect ssl certificate.

Answer 1

As per @vog's answer:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout example.key -out example.crt -subj "/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:www.example.net,IP:10.0.0.1"

(note that this is only for OpenSSL >= 1.1.1).

Answer 2

Is there a way to get a .crt and .key file with the subject alternative name set?

Yes, but you cannot do it from the command line. You have to use a CONF file.

For setting the SAN via a CONF file, see How do you sign Certificate Signing Request with your Certification Authority and How to create a self-signed certificate with openssl?. Both include the SAN in the procedures.