Certificate creation with OpenSSL for devices with Subject Alternative Names (SAN)

device.cnf

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
CN = mydevice.example.com

[v3_req]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = mydevice.example.com
DNS.2 = otherdevice.example.com
DNS.3 = foo.example.com
DNS.4 = bar.example.com

Justfile

pkey:
  # Create private key.
  # Most certification authorities only support RSA alogrithm.
  openssl genpkey -algorithm RSA -out device.key

pkeyec:
  # Create private key with elliptic curve algorithm.
  openssl ecparam -name prime256v1 -genkey -noout -out device.key

csr:
  # Create certificate request (CSR) from private key and info from device.conf.
  just pkey
  openssl req -new -key device.key -out device.csr -config device.cnf

sign:
  # Self-sign the CSR.
  openssl x509 -req -in device.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out device.crt -days 365 -sha256 -extfile device.cnf -extensions v3_req

p12:
  # Create a PKCS12 keystore from certificate chain.
  [ -f fullchain.crt ] || cat device.crt intermediate.crt ca.crt > fullchain.crt
  openssl pkcs12 -export -out device.p12 -inkey device.key -in fullchain.crt -nodes -name "Device Certificate"

clean:
  # Remove generated files.
  rm device.crt device.key device.csr

export:
  # Export keys and certificates from keystore.
  openssl pkcs12 -in device.p12 -passin pass: -nocerts -nodes  -out exported_device.key
  openssl pkcs12 -in device.p12 -passin pass: -nokeys          -out exported_device.crt
  openssl pkcs12 -in device.p12 -passin pass: -cacerts -nokeys -out exported_ca.crt

SANCert

Install OpenSSL and just before using it and adapt the device.cnf for your needs.