This guide allows you to create a multi-domain/unified communications certificate (UCC) for securing multiple domains under 1 certificate, you secure a primary domain name and up to 99 additional Subject Alternative Names (SANs) in a single certificate.

Download and install the latest stable OpenSSL windows executable from 

Create req config file

Create or reuse req.conf file as per below with SAN names (do not include lines at top and bottom)



distinguished_name = req_distinguished_name

req_extensions = v3_req

prompt = no


C = GB

ST = <state or county>

L = <city>

O = <company name>

OU = <company name>

CN = <externaldomainname1>


keyUsage = keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names


DNS.1 = externaldomainname2

DNS.2 = externaldomainname3

DNS.3 = externaldomainname4

DNS.4 = externaldomainname5


Generate CSR and Private Key

Run cmd as administrator

cd "C:\Program Files\OpenSSL-Win64\bin"

openssl req -new -out ucc.csr -newkey rsa:2048 -nodes -sha256 -keyout ucc.key.temp -config C:\TEMP\req.conf

 *This creates the CSR, private key from the req.conf file created above*

Verify CSR

openssl req -noout -text -in ucc.csr

 *Verify the CSR information is correct*

Verify Private Key

openssl rsa -in ucc.key.temp -check

 *This will verify the private key, it should return an OK*

Use CSR on certificate authority to create a certificate file

Use CSR on third party certificate authority (GoDaddy/Digicert etc) with a Multiple Domain (UCC) SSL certificate or wildcard certificate that supports subdomains

Verify every domain via DNS, web page or email (DNS is creation of a TXT record in external domain name), download certificate file (.crt) and intermediate file.

Combine CRT and Private Key into PFX

Importing this crt file into IIS for example will not import the private key, you need to combine the private key (created earlier) and the downloaded crt file by the following command;

openssl pkcs12 -export -in C:\TEMP\shfghdsgfh32356.crt -inkey ucc.key.temp -out ucc.pfx

Create an export password then the PFX file should now be generated to import into IIS.

Using MMC > Add Snap-In > Certificates > Local Computer you can now import the PFX file into the Personal Store,you should see a key symbol on the certificate, if you do not see the key one of the steps above has been missed.

Finally, ensure that the intermediate certificate authority crt file that was also downloaded from the certificate authority is added to the the Intermediate Certification Authority > Certificates section of the certificates snap-in within MMC.

The key should now be visible with Server Certificates within IIS (May need to refresh) and can now be used within IIS HTTPS bindings.