Technical Tip: Adding SAN (Subject Alternative Name) while generating CSR (Certificate Signing Request)

Description

This article explains the format to properly add the SAN (Subject Alternative Name) while generating CSR (Certificate Signing Request).

Scope

FortiGate, FortiProxy.

The CSR can be generated from System -> Certificates -> Generate.

Fill in the required details and mention the SAN in the below format, for example:

DNS:domain1.com

IP:1.2.3.4

If multiple entries need to be added, they should be separated by a comma, with no space in between. For example:

DNS:domain1.com,DNS:domain2.com,IP:1.2.3.4

The CSR can be validated by using OpenSSL or any other third-party tool.

C:\Program Files\OpenSSL-Win64\bin>openssl req -text -noout -verify -in cert-mydomain.csr

verify OK

Certificate Request:

    Data:

        Version: 1 (0x0)

        Subject: ST = Dubai, L = Dubai, O = mydomain, OU = support, CN = mydomain.com, emailAddress = support@mydomain.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                RSA Public-Key: (2048 bit)

                Modulus:

                    00:c0:ed:69:80:9c:10:b4:22:3d:9d:72:1e:41:31:

                    12:6e:93:a6:da:fc:7a:b0:43:c1:f3:36:37:f6:a3:

                    1e:50:0b:9b:86:9d:06:34:9b:07:72:3b:29:dc:17:

                    eb:bb:90:81:8d:2b:9b:c7:0b:5c:96:17:61:46:01:

                    1e:d7:1c:48:b7:8b:f9:02:f1:7f:f8:68:a5:c9:8d:

                    c3:b1:b2:44:37:71:22:f7:9e:17:f5:5d:36:ae:ab:

                    fa:27:d5:ef:23:00:1f:6c:ee:bc:d4:5f:47:c1:66:

                    ff:18:67:11:f0:8a:a7:c2:27:4c:7e:a1:f6:8c:bb:

                    9b:16:cd:c7:45:21:c5:d5:f0:49:aa:58:28:5d:c3:

                    0e:aa:3b:e7:d3:51:72:06:1c:86:fa:f3:1d:1c:1e:

                    25:85:17:31:c2:a7:b9:f2:f8:a1:7b:9e:a7:4b:74:

                    59:8d:7d:ed:0c:18:49:c5:fd:84:b5:e7:87:3d:fc:

                    e2:9f:7b:20:74:ef:70:4a:33:11:c2:de:f2:2d:ab:

                    9c:71:b6:19:46:f2:b4:65:45:9f:8a:05:16:40:e1:

                    3b:27:13:da:47:f6:57:ca:00:30:ec:b1:d2:8f:9a:

                    34:03:04:e0:7e:40:ef:59:1a:94:b1:1e:3f:67:e3:

                    76:6e:4e:a3:7b:42:0e:3d:a1:07:0f:af:d9:b9:ed:

                    8e:49

                Exponent: 65537 (0x10001)

        Attributes:

        Requested Extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            X509v3 Subject Alternative Name:

                DNS:domain1.com

            X509v3 Key Usage:

                Digital Signature, Key Encipherment

    Signature Algorithm: sha256WithRSAEncryption

         75:05:17:8d:7f:63:72:b0:47:d8:06:39:ca:24:a7:88:e8:25:

         16:f5:3c:ff:d7:4c:40:d5:b2:88:25:93:af:20:52:3a:5b:ee:

         3f:ca:6d:94:bc:fd:df:e7:a6:a4:f1:a8:d3:21:cb:2a:26:c3:

         3c:49:5c:62:88:ee:4a:59:38:96:e9:50:57:ef:8d:d1:69:0e:

         59:98:f5:e1:d1:2c:5a:76:4a:ee:40:a1:86:5f:89:69:93:53:

         5a:3a:a9:c4:a1:66:9b:55:bd:8e:93:24:e3:80:71:50:60:ad:

         b3:96:a5:bd:84:f6:4f:fa:5c:52:f4:cd:ab:18:fc:fc:43:d9:

         b5:f5:75:91:95:59:5f:a7:03:61:16:b8:11:4f:87:6e:d7:28:

         70:34:40:8d:12:2b:41:73:81:ec:50:28:f6:1b:59:83:3a:28:

         14:33:dc:71:5b:b4:d0:e6:78:02:e7:a5:41:40:56:b1:46:bd:

         c5:dd:c8:03:c4:1a:16:b5:e4:3a:63:63:e8:1b:e7:57:8b:29:

         b3:3d:b6:c9:88:3a:2e:2b:79:a2:e1:3c:1a:42:d0:95:1b:a0:

         36:8f:83:2c:3b:59:e0:b9:b0:9b:15:33:60:f8:51:d6:d3:23:

         2a:c9:9d:13:5f:08:59:51:1b:f3:ab:34:0c:1c:a5:3f:71:3a:

         78:d5:a4:ca