To define a SEQUENCE of GeneralNames you need to define the crlDistributionPoints in your OpenSSL configuration using the full format:
crlDistributionPoints = cdp1
...
[cdp1]
fullname = URI:http://example.com/myca.crl,URI:http://example.org/my.crl
Which shows up as:
X509v3 CRL Distribution Points:
Full Name:
URI:http://example.com/myca.crl
URI:http://example.org/my.crl
A full example would start by creating a config file (e.g. example.cnf
):
[req]
prompt = no
distinguished_name = dn
[dn]
countryName = gb
organizationName = Example
commonName = Example Web Server
[ext]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
crlDistributionPoints = cdp1
subjectAltName = @alt_names
[cdp1]
fullname = URI:http://example.com/myca.crl, URI:http://example.org/my.crl
[alt_names]
DNS.1 = www.example.com
DNS.2 = www.example.org
Use the config to generate a Certificate Signing Request (CSR):
openssl req -newkey rsa:2048 -keyout example.key -nodes -config example.cnf -out example.csr
Note that the above creates a 2048-bit RSA key with no password protection. Remove the -nodes
if you need to password protect the private key.
Have a CA sign the CSR generated above.