So we have a system that generates a key for every server signed by the company CA.
I need to add a SAN to it but don't really have access to the CSR. Is there anyway to add a SAN? Maybe generate another cert in the chain so I can use the CA and the provided key/cert.
Any ideas?
There is no way to change an already issued certificate since this would invalidate the signature. You can also not issue a new certificate using the certificate you have since this server certificate has basic constraints CA false, i.e. can only be used as leaf certificate and not to sign other certificates.
In other words: you need to create a fully new CSR with all the information you want to have and let it sign by the CA. That you don't have the old CSR does not matter since the old CSR is incomplete anyway. But, you could in theory re-create the CSR from your existing certificate only it would miss the SAN the same as the old certificate does.
You cannot alter an existing certificate in any way. That will be missing the point of adding a cryptographically signing the certificate.
If you want to add SAN, most CAs allow you to reissue a certificate with new details, though this will usually revoke your old certificate.
You don't need the old CSR to reissue a certificate, you can instead create a new CSR with the updated details using a new or existing private key.
