Create SSL Certificate with SANs (Subject Alternative Names)

When you’re developing websites at work, while you can set up a self-signed certificate to test pages over SSL, it’s better to use a trusted certificate which you can do for free if your employer has set up a CA certificate which you can sign against. Also, since certificates are only valid for one level of a domain, e.g. is different from which is different from, you can add Subject Alternative names to your certificate and wildcards like *, * and * to use the same certificate over many domains.

Following are steps to set up a certificate with SANs on a Mac with Apache.

1. Install OpenSSL

$ brew install openssl

2. Create a private host key

$ cd /private/etc/apache2
$ sudo mkdir ssl
$ cd ssl
$ sudo ssh-keygen -f

You can choose anything for the passcode, or leave it blank.

3. Edit Open SSL Configuration File

Copy /etc/pki/tls/openssl.cnf and save it as

Edit the new file and find the [ req ] section, and add the following:

req_extensions = v3_req

Then, make the [ v3_req ] section look something like this

[ v3_req ]
# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

Make a new section called [ alt_names ] which looks something like this

[ alt_names ]
DNS.1 = *
DNS.2 =*
IP.1 =

3. Create a Certificate Signing Request (CSR)

Run the command

openssl req -new -nodes -keyout -out -config

Following the prompts to specify your country, state, location, company, etc. Optionally, specify a passphrase, if you want. This will generate a file.

4. Have the CSR Signed by Your CA and Download it in Base-64 Format

This process will depend on your employer’s setup. You will end up with a .crt which you can rename to

5. Get a Copy of Your Employer’s CA (Certificate Authority) Certificate

Get the CA cert in base-64 format and save it. I’ll call it abc-company-ca-cert.crt

6. Append the CA Cert to cert.pem

Copy and paste the contents of abc-company-ca-cert.crt to the end of /usr/local/etc/openssl/cert.pem

7. Edit Apache config

In httpd.conf, make sure to uncomment the line

Include /private/etc/apache2/extra/httpd-ssl.conf

8. Edit Apache SSL config

In httpd-ssl.conf, make sure to uncomment the line

SSLEngine on

and add the following lines in the appropriate places

SSLCertificateFile "/etc/apache2/ssl/"
SSLCertificateKeyFile "/etc/apache2/ssl/"

9. Edit Apache Virtual Hosts

In httpd-vhosts.conf, add the following to your <VirtualHost *:443> containers

SSLEngine on
SSLCertificateFile /private/etc/apache2/ssl/localhost.crt
SSLCertificateKeyFile /private/etc/apache2/ssl/localhost.key

10. Test Apache Config

$ sudo apachectl configtest
Syntax OK

11. Restart Apache

$ sudo apachectl restart

12. Add the CA Cert to Your KeyChain

Double-click abc-company-ca-cert.crt and add the CA cert to the “System” keychain


13. Specify the CA Cert’s Trust Settings

Edit the cert and set X.509 Basic Policy to “Always Trust”


14. Test in Chrome

In Chrome, go to a page like You should see a green https:// lock in the URL bar. If it’s not green, try clearing your Chrome browser history and cache, quitting Chrome and trying again.

15. Test in Safari

In Safari, go to a page like You should see a gray locked lock icon in the URL bar.

16. Test in Firefox

In Firefox, go to a page like You should see a gray locked lock icon in the URL bar. If you don’t see the correct lock, go to Firefox > Preferences > Advanced > View Certificates > Authorities > Import and import the abc-company-ca-cert.crt.