0

I am attempting to generate CSR using openssl with subject alternative names however i get an error stating no options for adext. See command below.. I am using OpenSSL 1.0.2k-fips

openssl req -new \
-newkey rsa:2048 -nodes -keyout {domain-name}.key \
-out {domain-name}.csr \
-subj "/C=GB/ST=test/L=/O=test/OU=test/CN={domain-name}.com" \
-addext "subjectAltName = DNS:first.{domain-name}.com,DNS:second.{domain-name}.com,DNS:third.{domain-name}.com,DNS:www.{domain-name}.com.com"
eagercoder
  • 101
  • 1

1 Answers1

1

The error implies you have a typo and missed a d out of the command when you entered it the first time (-adext != -addext).

If you take exactly what you've shown in the question and just remove all the {} so it uses domain-name.com as the domain, it fails because L= needs a value, but if you add in a value it then works just fine:

$ openssl req -new \
> -newkey rsa:2048 -nodes -keyout domain-name.key \
> -out domain-name.csr \
> -subj "/C=GB/ST=test/L=foo/O=test/OU=test/CN=domain-name.com" \
> -addext "subjectAltName = DNS:first.domain-name.com,DNS:second.domain-name.com,DNS:third.domain-name.com,DNS:www.domain-name.com.com"
Generating a RSA private key
................+++++
...........................................+++++
writing new private key to 'domain-name.key'
-----

p.s. you also have an extra .com on the end

hardillb
  • 1,275
  • 1
  • 9
  • 19
  • Thanks but i have just copied what you have there and it does not work... i did not miss out a "d", i actually have "addext" not "adext" in there. Also i think this is a version issue no ? – eagercoder Nov 15 '21 at 17:01
  • 2
    You've effectively answered your own question. While version 1.1.1 has the `-addext` option, [version 1.0.2 doesn't](https://web.archive.org/web/20210103034813/https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html). – garethTheRed Nov 15 '21 at 20:36