Creating CSR with SAN via API calls

nm2025 — Sun, 24 Aug 2025 21:00:48 GMT

Hi,

I am trying to create CSR via API calls with subject alternate name for hostname and ip address, but I cannot find it in documentation. Simple creation of CSR works for me
https://10.XX.XX.XX/api?type=op&cmd=<request><certificate><generate><certificate-name>apicert</certificate-name><name>testing</name><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><digest>sha256</digest><signed-by>external</signed-by><ca>no</ca></generate></certificate></request>&key=

But I am trying to insert SAN fields. I tried with:

https://<FW>/api?type=op&cmd=<request><certificate><generate>
<certificate-name>ssl_cert_api_test</certificate-name>
<name>test</name>
<algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm>
<digest>sha256</digest>
<signed-by>external</signed-by>
<ca>no</ca>
<certificate-attributes>
<host-name><member>test_hostname</member></host-name>
<ip><member>90.90.90.90</member></ip>
</certificate-attributes>
</generate></certificate></request>&key=<API_KEY>

Error returned

<response status="error" code="17">
<msg>
<line><![CDATA[ request -> certificate -> generate -> certificate-attributes unexpected here]]></line>
<line><![CDATA[ request -> certificate -> generate is unexpected ]]></line>
<line><![CDATA[ request -> certificate is unexpected ]]></line>
<line><![CDATA[ request is unexpected ]]></line>
</msg>
</response>

What I already tried

Replacing <certificate-attributes> with <subject-alt-name> or <altname> blocks:
…<subject-alt-name><host-name>…</host-name><ip>…</ip></subject-alt-name>…
…<altname><host-name>…</host-name><ip>…</ip></altname>…

Same error pattern (code="17" / “unexpected here”).

Is there a supported way to pass SAN attributes via single call?

Re: Creating CSR with SAN via API calls

JayGolf — Mon, 25 Aug 2025 01:20:36 GMT

Hi @nm2025 ,

At this time, adding SANs isn’t supported directly via API. The supported method is to generate the CSR through the CLI or GUI, then export it for signing.

If automation is required, you can still leverage the XML API for importing and managing certificates once the CSR with SANs has been generated externally.

Re: Creating CSR with SAN via API calls

nm2025 — Mon, 25 Aug 2025 20:49:42 GMT

Thank you for clarification,

That works. I used the CLI for CSR creation and the API for all other automation tasks

topic Creating CSR with SAN via API calls in General Topics

Creating CSR with SAN via API calls

Re: Creating CSR with SAN via API calls

Re: Creating CSR with SAN via API calls