Description

This article explains the format to properly add the SAN (Subject Alternative Name) while generating CSR (Certificate Signing Request).

Scope

FortiGate, FortiProxy.

The CSR can be generated from System -> Certificates -> Create/Import -> Generate CSR

Fill in the required details and mention the SAN in the below format, for example:

DNS:domain1.com

IP:1.2.3.4

If multiple entries need to be added, they should be separated by a comma, with no space in between.

For example:

DNS:domain1.com,DNS:domain2.com,IP:1.2.3.4

The CSR can be validated by using OpenSSL or any other third-party tool.

C:\Program Files\OpenSSL-Win64\bin>openssl req -text -noout -verify -in cert-mydomain.csr

verify OK

Certificate Request:

    Data:

        Version: 1 (0x0)

        Subject: ST = Dubai, L = Dubai, O = mydomain, OU = support, CN = mydomain.com, emailAddress = support@mydomain.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                RSA Public-Key: (2048 bit)

                Modulus:

                    00:c0:ed:69:80:9c:10:b4:22:3d:9d:72:1e:41:31:

                    12:6e:93:a6:da:fc:7a:b0:43:c1:f3:36:37:f6:a3:

                    1e:50:0b:9b:86:9d:06:34:9b:07:72:3b:29:dc:17:

                    eb:bb:90:81:8d:2b:9b:c7:0b:5c:96:17:61:46:01:

                    1e:d7:1c:48:b7:8b:f9:02:f1:7f:f8:68:a5:c9:8d:

                    c3:b1:b2:44:37:71:22:f7:9e:17:f5:5d:36:ae:ab:

                    fa:27:d5:ef:23:00:1f:6c:ee:bc:d4:5f:47:c1:66:

                    ff:18:67:11:f0:8a:a7:c2:27:4c:7e:a1:f6:8c:bb:

                    9b:16:cd:c7:45:21:c5:d5:f0:49:aa:58:28:5d:c3:

                    0e:aa:3b:e7:d3:51:72:06:1c:86:fa:f3:1d:1c:1e:

                    25:85:17:31:c2:a7:b9:f2:f8:a1:7b:9e:a7:4b:74:

                    59:8d:7d:ed:0c:18:49:c5:fd:84:b5:e7:87:3d:fc:

                    e2:9f:7b:20:74:ef:70:4a:33:11:c2:de:f2:2d:ab:

                    9c:71:b6:19:46:f2:b4:65:45:9f:8a:05:16:40:e1:

                    3b:27:13:da:47:f6:57:ca:00:30:ec:b1:d2:8f:9a:

                    34:03:04:e0:7e:40:ef:59:1a:94:b1:1e:3f:67:e3:

                    76:6e:4e:a3:7b:42:0e:3d:a1:07:0f:af:d9:b9:ed:

                    8e:49

                Exponent: 65537 (0x10001)

        Attributes:

        Requested Extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            X509v3 Subject Alternative Name:

                DNS:domain1.com

            X509v3 Key Usage:

                Digital Signature, Key Encipherment

    Signature Algorithm: sha256WithRSAEncryption

         75:05:17:8d:7f:63:72:b0:47:d8:06:39:ca:24:a7:88:e8:25:

         16:f5:3c:ff:d7:4c:40:d5:b2:88:25:93:af:20:52:3a:5b:ee:

         3f:ca:6d:94:bc:fd:df:e7:a6:a4:f1:a8:d3:21:cb:2a:26:c3:

         3c:49:5c:62:88:ee:4a:59:38:96:e9:50:57:ef:8d:d1:69:0e:

         59:98:f5:e1:d1:2c:5a:76:4a:ee:40:a1:86:5f:89:69:93:53:

         5a:3a:a9:c4:a1:66:9b:55:bd:8e:93:24:e3:80:71:50:60:ad:

         b3:96:a5:bd:84:f6:4f:fa:5c:52:f4:cd:ab:18:fc:fc:43:d9:

         b5:f5:75:91:95:59:5f:a7:03:61:16:b8:11:4f:87:6e:d7:28:

         70:34:40:8d:12:2b:41:73:81:ec:50:28:f6:1b:59:83:3a:28:

         14:33:dc:71:5b:b4:d0:e6:78:02:e7:a5:41:40:56:b1:46:bd:

         c5:dd:c8:03:c4:1a:16:b5:e4:3a:63:63:e8:1b:e7:57:8b:29:

         b3:3d:b6:c9:88:3a:2e:2b:79:a2:e1:3c:1a:42:d0:95:1b:a0:

         36:8f:83:2c:3b:59:e0:b9:b0:9b:15:33:60:f8:51:d6:d3:23:

         2a:c9:9d:13:5f:08:59:51:1b:f3:ab:34:0c:1c:a5:3f:71:3a:

         78:d5:a4:ca