I just developed a web based tool that will generate this command automatically based on form input and display the output.

UPDATE: see certificatetools.com

It became so popular that I improved it and published it under its own domain name.

It will not only give you the downloadable .csr, but also provide the openssl commands that were used to generate it, and the needed openssl.cnf configuration options.

Example:

OpenSSL Commands

#generate the RSA private key
openssl genpkey -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out priv.key

#Create the CSR
openssl req -new -nodes -key priv.key -config csrconfig.txt -out cert.csr

OpenSSL CSR Config

[ req ]
default_md = sha256
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
commonName = example.com
countryName = US
stateOrProvinceName = Louisiana
localityName = Slidell
organizationName = Acme Inc.
[ req_ext ]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=critical,serverAuth,clientAuth
subjectAltName = @alt_names
[ alt_names ]
IP.0 = 1.1.1.1
IP.1 = 2.2.2.2
DNS.0 = server1.example.com
DNS.1 = server2.example.com
email.0 = email1@example.com
email.1 = email2@example.com

The v3_req is required with the entry subjectAltName in the config file. The command

openssl x509 ... -extfile openssl.cnf -extensions v3_req

will insert the SAN into the certificate.

What command did you use to make the CSR certificate request? What command did you use to make the certificate file? Different answers for different circumstances you know.

Maybe you are not putting

subjectAltName=email:copy

in the section

[v3_req]

Maybe you are using openssl x509 to generate the certificate, if so you must use

-extfile /etc/pki/tls/openssl.cnf

because without that it doesnt use your config file

You also might need

-extensions v3_req

command line switch

#! /bin/dash

#  Steps 1-3 show how to use openssl to create a certificate request
#  that includes Subject Alternative Names.

#  In the uncommon case where you are creating your own CA, steps 4-6
#  show how to use openssl to create a CA and then use that CA to
#  create a certificate from the request.

#  Step 1:  Create an OpenSSL configuration file
#    to specify the Subject Alternative Names

echo  ;  echo  'step  1'
cat  >  foo.cnf  <<EOF
[ req ]
distinguished_name      =  arbitrary_name_1
req_extensions          =  arbitrary_name_2
[ arbitrary_name_1 ]
[ arbitrary_name_2 ]
subjectAltName          =  @arbitrary_name_3
[ arbitrary_name_3 ]
DNS.1                   =  foo.com
DNS.2                   =  bar.com
DNS.3                   =  baz.com
EOF

#  Step 2:  Create a certificate request for foo.com.
#
#  openssl
#    req
#      -config      read openssl configuration from this file
#      -subj        set the commonName of the certificate
#      -newkey      generate a new key (and, by implication, a new request!)
#        -nodes       do not encrypt the new private key ("no DES")
#        -keyout      write the new private key to this file
#      -out         write the request to this file

echo  ;  echo  'step  2'
openssl                         \
  req                           \
    -config    foo.cnf          \
    -subj      '/CN=foo.com'    \
    -newkey    rsa:2048         \
      -nodes                    \
      -keyout  foo.key          \
    -out       foo.req

#  Step 3:  Display the requested extensions.

echo  ;  echo  'step  3'
openssl  req  -in foo.req  -noout  -text  |  \
  grep  -A 2  'Requested Extensions:'

#  Step 4:  Create a certificate authority by creating
#    a private key and self-signed certificate.
#
#  openssl
#    req            generate a certificate request, but don't because ...
#      -x509        generate a self-signed certificate instead
#      -subj        set the commonName of the certificate
#      -days        certificate is valid for N days, starting now
#      -newkey      generate a new private key
#        -nodes       do not encrypt the new private key ("no DES")
#        -keyout      write the new private key to this file
#      -out         write the self-signed certificate to this file

echo  ;  echo  'step  4'
openssl                         \
  req                           \
    -x509                       \
    -subj      "/CN=Custom CA"  \
    -days      4000             \
    -newkey    rsa:2048         \
      -nodes                    \
      -keyout  ca.key           \
    -out       ca.cert

#  Step 5:  Use the certificate authority
#    to create a certificate for foo.com.
#
#  openssl
#    x509             operate on an x509 certificate
#      -req           create an x509 certificate from a request
#      -in            read the request from this file
#      -CA            read the CA certificate from this file
#      -CAkey         read the CA key form this file
#      -extfile       read openssl's configuration from this file
#      -extensions    read extensions from this section of the configuration
#      -days          certificate is valid for N days, starting now
#      -set_serial    set the new certificate's serial number
#      -out           write the new certificate to this file

echo  ;  echo  'step  5'
openssl                                 \
  x509                                  \
    -req                                \
    -in          foo.req                \
    -CA          ca.cert                \
    -CAkey       ca.key                 \
    -extfile     foo.cnf                \
    -extensions  arbitrary_name_2       \
    -days        30                     \
    -set_serial  1001                   \
    -out         foo.cert

#  Step 6:  Display the X509v3 extensions:

echo  ;  echo  'step  6'
openssl  x509  -in foo.cert  -noout  -text  |  \
  grep  -A 2  'X509v3 extensions:'

Alright, none of the other answers on this page worked for me, and I tried every last one of them. What worked for me was a little trick:

when requesting the cert:

-config '<(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$SERVER"))' 
-reqexts SAN

and when signing the cert:

-extfile '<(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$SERVER"))' 
-extensions SAN

So there is no confusion, here is a working script that covers everything from the start, including creating a certificate authority:

# if the server name is undefined, lets default to 'Some-Server'
SERVER="${SERVER:-Some-Server}"

CORPORATION=My-Corp
GROUP=My-Corporate-Group
CITY=City
STATE=State
COUNTRY=US

CERT_AUTH_PASS=`openssl rand -base64 32`
echo $CERT_AUTH_PASS > cert_auth_password
CERT_AUTH_PASS=`cat cert_auth_password`

# create the certificate authority
openssl \
  req \
  -subj "/CN=$SERVER.ca/OU=$GROUP/O=$CORPORATION/L=$CITY/ST=$STATE/C=$COUNTRY" \
  -new \
  -x509 \
  -passout pass:$CERT_AUTH_PASS \
  -keyout ca-cert.key \
  -out ca-cert.crt \
  -days 36500

# create client private key (used to decrypt the cert we get from the CA)
openssl genrsa -out $SERVER.key

# create the CSR(Certitificate Signing Request)
openssl \
  req \
  -new \
  -nodes \
  -subj "/CN=$SERVER/OU=$GROUP/O=$CORPORATION/L=$CITY/ST=$STATE/C=$COUNTRY" \
  -sha256 \
  -extensions v3_req \
  -reqexts SAN \
  -key $SERVER.key \
  -out $SERVER.csr \
  -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$SERVER")) \
  -days 36500

# sign the certificate with the certificate authority
openssl \
  x509 \
  -req \
  -days 36500 \
  -in $SERVER.csr \
  -CA ca-cert.crt \
  -CAkey ca-cert.key \
  -CAcreateserial \
  -out $SERVER.crt \
  -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$SERVER")) \
  -extensions SAN \
  -passin pass:$CERT_AUTH_PASS

We can then verify that the Subject Alternative name is in the final cert:

openssl x509 -in Some-Server.crt -text -noout

The pertinent section is:

    X509v3 extensions:
        X509v3 Subject Alternative Name: 
            DNS:Some-Server

So it worked! This is a cert that will be accepted by every major browser (including chrome), so long as you install the certificate authority in the browser. Thats ca-cert.crt that you will need to install.

Here is a sample configuration for ngnx that would allow you to use the cert:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name  localhost:443;

    ssl_certificate /etc/ssl/certs/Some-Server.crt;
    ssl_certificate_key /etc/ssl/private/Some-Server.key;
    ssl_dhparam /etc/ssl/certs/https-dhparam.pem;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}

I got it to work with the following version (emailAddress was incorrectly placed) :

[ req ]
default_bits        = 2048 
default_keyfile     = privkey.pem 
distinguished_name  = req_distinguished_name
req_extensions          = v3_req
x509_extensions         = v3_ca

[req_distinguished_name]
C = [Press Enter to Continue]
C_default = US 
C_min = 2 
C_max = 2 

O = [Press Enter to Continue]
O_default = default 

0.OU=[Press Enter to Continue]
0.OU_default = default 
1.OU=[Press Enter to Continue]
1.OU_default = PKI 
2.OU=[Press Enter to Continue] 
2.OU_default = ABCD
commonName = Public FQDN of server 
commonName_max = 64
emailAddress = [Press Enter to Continue] 
emailAddress_default = myEmail@email.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName         = email:myEmail@email.com
issuerAltName          = issuer:copy

Notes:

• To generate the certificate I used:

  openssl req -config req.cnf -new -nodes -out req.pem -x509
  

• I haven't seen much use for issuerAltname (if you have I'd be interested to know where).
• Using issuer:always isn't recommended for authorityKeyIdentifier.
• Using email:copy now works with subjectAltName.
• v3_req section is superfluous (as well as req_extensions line.