Create an OpenSSL self-signed SAN cert in a single command

Note: This is mainly for my future self. Hopefully, you’ll find it useful too.

I’m currently working on a project that requires SSL on my development web server. Setting up a self-signed certificate with OpenSSL is reasonably straightforward and that had been working for a while. But then the requirement was added that the hostname could not be ‘localhost’. 🙄 Blame the vendor. Hello SAN (Subject Alternative Name) cert.

I found many examples online about how to do this with a config file, but I needed this to work in a simple one-liner. So here it is:

openssl req \
-x509 \
-newkey rsa:4096 \
-sha256 \
-days 3560 \
-nodes \
-keyout example.key \
-out example.crt \
-subj '/CN=<Your Cert Name>' \
-extensions san \
-config <( \
  echo '[req]'; \
  echo 'distinguished_name=req'; \
  echo '[san]'; \
  echo 'subjectAltName=DNS:localhost,<yourdomain>')

Just replace <Your Cert Name> with what you want to appear as the title, and <yourdomain> with the domain you want to impersonate. You can, of course, add additional domain names to the list. Just separate them with a comma (no space). You’ll then need to import the certificate to your certificate store and set the trust options according to your environment. That’s it!

-g