For an X.509 certificate to support multiple domains, it must use multiple Subject Alternative Name DNS entries, according to RFC 2818 (HTTP over TLS) (or RFC 6125):
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.Matching is performed using the matching rules specified by
[RFC2459]. If more than one identity of a given type is present in
the certificate (e.g., more than one dNSName name, a match in any one
of the set is considered acceptable.)
As described in this document (except I would use -des3 too for the genrsa command, to protect the private key):
- Make a copy your initial
openssl.cnffile (the original is probably somewhere under/etcon Linux). - Edit it to add
req_extensions = v3_reqin the[ req ]section. - Edit it to add
subjectAltName=DNS:www.example.com,DNS:www.other-example.com(oneDNS:entry per host name you require) in the[ v3_req ]section. - Make OpenSSL use that configuration file. Call it with
OPENSSL_CONF=/path/to/your/openssl.cnf openssl req ...
This being said, I wouldn’t worry too much about setting any extension in the CSR. Any good CA should ignore whatever you’ve set in the CSR and only set whatever they have actually verified when issuing the actual certificate. They’ll happily replace any RDN in your Subject DN (e.g. Country, Organization, …) as well as any extension (SAN or Key Usage). Firstly, if they let any extension as requested in the CSR by the applicant, this would be a security risk, since some applicants could really get anything. Secondly, that’s how they make extra money, by charging you for setting a few bits here and there (e.g. code signing extension): they’ll make sure that you only get what you’ve paid for in your certificate. I understand, though, that you may want to put all the names you request in your CSR, just to be sure.