How to Create a CSR for Multiple Hostnames and Install a Commercial SSL Certificate (PEM) in Apache
1. Prepare a SAN (Subject Alternative Name) OpenSSL Config File
Save this as /etc/ssl/openssl-san.conf (adjust the directory as needed):
[ req ] default_bits = 4096 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] CN = smc.betakeoff.com [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = smc.betakeoff.com DNS.2 = smc.betakeoff.ch DNS.3 = spark3.ll.mysslvpn.com DNS.4 = ssl.anytrust.ch
2. Generate the Private Key
openssl genrsa -out /etc/ssl/private/multisan.key 4096
3. Generate the CSR Using Your SAN Config
openssl req -new -key /etc/ssl/private/multisan.key \ -out /etc/ssl/private/multisan.csr \ -config /etc/ssl/openssl-san.conf
- The output:
multisan.csr(CSR: copy/paste its contents when ordering your certificate from your commercial CA.) - The private key:
multisan.key(Keep this safe and never share it.)
4. Submit the CSR to Your Certificate Authority (CA)
- Open the file
multisan.csrin a text editor and copy its contents (including-----BEGIN CERTIFICATE REQUEST-----and-----END CERTIFICATE REQUEST-----). - Paste this in your CA's certificate order form.
- Validate as required; after approval, you will receive the server certificate and one or more CA intermediate certificates.
5. Combine the CA Certificate Files (if Needed)
- Suppose you get
your_domain.crt(your server cert) andca_bundle.crt(intermediate certificates, sometimes named differently):
cat your_domain.crt ca_bundle.crt > /etc/ssl/certs/multisan_fullchain.pem
- You can rename or adjust paths as you like. This file is called the “full chain” and includes all necessary certs.
6. Install the Certificate into Apache (PEM format)
In your Apache site config or default-ssl.conf (Debian/Ubuntu) or ssl.conf (RHEL/CentOS):
SSLEngine on SSLCertificateFile /etc/ssl/certs/multisan_fullchain.pem SSLCertificateKeyFile /etc/ssl/private/multisan.key # (Optional; some setups use separate intermediate files) # SSLCertificateChainFile /etc/ssl/certs/ca_bundle.crt
Example for /etc/apache2/sites-available/your-site-ssl.conf:
<VirtualHost *:443> ServerName smc.betakeoff.com ServerAlias smc.betakeoff.ch spark3.ll.mysslvpn.com ssl.anytrust.ch SSLEngine on SSLCertificateFile /etc/ssl/certs/multisan_fullchain.pem SSLCertificateKeyFile /etc/ssl/private/multisan.key # Usual DocRoot, log, and other directives </VirtualHost>
7. Enable SSL Module and Site, then Restart Apache
sudo a2enmod ssl sudo a2ensite your-site-ssl sudo systemctl reload apache2
Or, for RHEL/CentOS:
sudo systemctl restart httpd
8. Test Your Setup
- Visit SSL Labs SSL Test and enter each hostname to verify your new certificate is in use and trusted.
Quick Summary Table
| Step | Description |
|---|---|
| 1 | Create SAN config file for all your hostnames |
| 2 | Generate private key |
| 3 | Generate CSR using config file |
| 4 | Order cert using CSR at your chosen CA |
| 5 | Combine cert + intermediates as fullchain PEM |
| 6 | Edit Apache SSL conf to use fullchain and key |
| 7 | Reload/restart Apache to activate |
Notes
- Adjust all file paths and permissions per your distro and preferences.
- Always backup your private key!