diff --git a/docs/howto-certs-san/x.509-certs-with-san/Makefile b/docs/howto-certs-san/x.509-certs-with-san/Makefile
new file mode 100644
index 0000000..3c9bd75
--- /dev/null
+++ b/docs/howto-certs-san/x.509-certs-with-san/Makefile
@@ -0,0 +1,43 @@
+all: ca-cert client-cert router-cert
+
+ca-cert:
+	openssl genrsa -out ca/ca.key 4096
+	openssl req -x509 -new -key ca/ca.key \
+		-days 3650 -out ca/ca.crt \
+		-config ca/ca.cnf
+
+client-cert:
+	openssl genrsa -out client/client.key 4096
+	openssl req -new -key client/client.key \
+		-out client/client.csr -config client/client.cnf
+	openssl x509 -req -days 365 -in client/client.csr \
+		-CA ca/ca.crt -CAkey ca/ca.key \
+		-CAcreateserial -out client/client.crt
+
+router-cert:
+	openssl genrsa -out router/router.key 4096
+	openssl req -new -key router/router.key \
+		-out router/router.csr -config router/router.cnf
+	openssl x509 -req -days 365 -in router/router.csr \
+		-CA ca/ca.crt -CAkey ca/ca.key \
+		-CAcreateserial -out router/router.crt \
+		-extensions req_ext -extfile router/router.cnf
+	cat router/router.crt router/router.key > router/router.pem
+
+read-ca-crt:
+	openssl x509 -text -noout -in ca/ca.crt
+
+read-client-csr:
+	openssl req -noout -text -in client/client.csr
+
+read-client-crt:
+	openssl x509 -text -noout -in client/client.crt
+
+read-router-csr:
+	openssl req -noout -text -in router/router.csr
+
+read-router-crt:
+	openssl x509 -text -noout -in router/router.crt
+
+clean:
+	rm */*.crt */*.key */*.csr */*.srl */*.pem
diff --git a/docs/howto-certs-san/x.509-certs-with-san/ca/ca.cnf b/docs/howto-certs-san/x.509-certs-with-san/ca/ca.cnf
new file mode 100644
index 0000000..069b49c
--- /dev/null
+++ b/docs/howto-certs-san/x.509-certs-with-san/ca/ca.cnf
@@ -0,0 +1,10 @@
+[req]
+distinguished_name = req_distinguished_name
+prompt             = no
+
+[req_distinguished_name]
+countryName            = US
+stateOrProvinceName    = California
+localityName           = Sunnyvale
+organizationalUnitName = Engineering
+commonName             = Self Signed Root CA
diff --git a/docs/howto-certs-san/x.509-certs-with-san/client/client.cnf b/docs/howto-certs-san/x.509-certs-with-san/client/client.cnf
new file mode 100644
index 0000000..a57f507
--- /dev/null
+++ b/docs/howto-certs-san/x.509-certs-with-san/client/client.cnf
@@ -0,0 +1,10 @@
+[req]
+distinguished_name = req_distinguished_name
+prompt             = no
+
+[req_distinguished_name]
+countryName            = US
+stateOrProvinceName    = California
+localityName           = Sunnyvale
+organizationalUnitName = Engineering
+commonName             = client
diff --git a/docs/howto-certs-san/x.509-certs-with-san/router/router.cnf b/docs/howto-certs-san/x.509-certs-with-san/router/router.cnf
new file mode 100644
index 0000000..8e0e68e
--- /dev/null
+++ b/docs/howto-certs-san/x.509-certs-with-san/router/router.cnf
@@ -0,0 +1,19 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+prompt             = no
+
+[req_distinguished_name]
+countryName            = US
+stateOrProvinceName    = California
+localityName           = Sunnyvale
+organizationalUnitName = Engineering
+commonName             = router
+
+[req_ext]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = router
+DNS.2 = router.englab.juniper.net
+DNS.3 = *.juniper.net