NOTE: OpenSSL can be ran in multiple ways. One way on Windows is to install this https://slproweb.com/products/Win32OpenSSL.html.
Create a new <servername>.cfg file in Notepad with the following info updated for the cert. Add/Remove DNS info if more or less SANs are needed:
[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
x509_extensions = req_ext
[ dn ]
CN = servername.contoso.com
emailAddress = [email protected]
O = Company Name
OU = Department
L = City
ST = State in 2 letter format
C = US
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = servername.contoso.com
DNS.2 = servername
DNS.3 = servername.domain.local
Next, run the following openssl commands in order. Make sure to change directory to the same directory your <servername>.cfg file is in.
Generate a 256 RSA key:openssl genrsa -out <servername>.key 2048
Generate a PEM certificate with settings defined in <servername>.cfg. Update -days switch to how many days you want the cert valid for, this example is 10 years:openssl req -new -x509 -sha256 -days 3650 -config <servername>.cfg -key <servername>.key -out <servername>.pem
Verify settings defined in PEM cert, specifically make sure the SANs are present in the cert:openssl x509 -in <servername>.pem -text -noout
Converts PEM to PKCS12 which are better supported on Windows. You will be prompted to set a certificate password:openssl pkcs12 -export -out <servername>.pfx -inkey <servername>.key -in <servername>.pem
Resources:
https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/
https://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl
https://serverfault.com/questions/845806/how-to-issue-ssl-certificate-with-san-extension