--- /usr/share/univention-ssl/make-certificates.sh.orig 2017-07-12 14:04:48.000000000 +0200
+++ /usr/share/univention-ssl/make-certificates.sh      2017-07-12 14:04:52.000000000 +0200
@@ -413,6 +413,8 @@
        local name="${1:?Missing argument: dirname}"
        local fqdn="${2:?Missing argument: common name}"
        local days="${3:-$DEFAULT_DAYS}"
+       local domain=$(ucr get domainname)
+       local san=$(univention-ldapsearch -LLL cNAMERecord=$fqdn. | grep relativeDomainName: | awk -v domain="${domain}" '{print $2, $2"."domain}' | sed ':a;N;$!ba;s/\n/\ /g')
 
        local hostname="${fqdn%%.*}" cn="$fqdn"
        if [ ${#hostname} -gt 64 ]
@@ -436,7 +438,7 @@
                [ -n "$EXTERNAL_REQUEST_FILE_KEY" ] && cp "$EXTERNAL_REQUEST_FILE_KEY" "$name/private.key"
        else
                # generate a key pair
-               mk_config "$name/openssl.cnf" "" "$days" "$cn" "$fqdn $hostname"
+               mk_config "$name/openssl.cnf" "" "$days" "$cn" "$fqdn $hostname $san"
                openssl genrsa -out "$name/private.key" "$DEFAULT_BITS"
                openssl req -batch -config "$name/openssl.cnf" -new -key "$name/private.key" -out "$name/req.pem"
        fi