Modern browsers (2023/05) won't support the server certificate if the SAN field is empty resulting in error SSL_ERROR_BAD_CERT_DOMAIN in browser. In this case it is a self-signed.
Make sure the CA/Intermediates are verified and imported to client machines. Generate a private key: 
<code>openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048</code> 
Create the config file : csr.conf
<pre><code class="lang-bash">[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn


[dn]
C = BE
ST = Luxembourg
L = Luxembourg
O = MyOrganization
OU = ISO
CN = web.mycompany.eu
emailAddress = johndoe@mycompany.eu


[req_ext]
subjectAltName = @alt_names


[alt_names]
DNS.1 = web.mycompany.eu
</code></pre>
<code>openssl req -new -key server.key -out server.csr -config csr.conf</code> 
Provide the resulting <code>server.csr</code> to certificate authority, later after receiving the server.crt. Add server.key and signed server certificate to your application.

Modern browsers (2023/05) won't support the server certificate if the SAN field is empty resulting in error **SSL\_ERROR\_BAD\_CERT\_DOMAIN** in browser. In this case it is a self-signed.

Make sure the CA/Intermediates are verified and imported to client machines.  
Generate a private key:  
   
`openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048`  
   
Create the config file : ***csr.conf***

```bash
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn


[dn]
C = BE
ST = Luxembourg
L = Luxembourg
O = MyOrganization
OU = ISO
CN = web.mycompany.eu
emailAddress = johndoe@mycompany.eu


[req_ext]
subjectAltName = @alt_names


[alt_names]
DNS.1 = web.mycompany.eu
```

   
`openssl req -new -key server.key -out server.csr -config csr.conf`  
   
Provide the resulting `server.csr` to certificate authority, later after receiving the server.crt. Add server.key and signed server certificate to your application.

Adding SAN to your CSR