CRL distribution point with multiple names

To define a SEQUENCE of GeneralNames you need to define the crlDistributionPoints in your OpenSSL configuration using the full format:

crlDistributionPoints = cdp1

...

[cdp1]
fullname = URI:http://example.com/myca.crl,URI:http://example.org/my.crl

Which shows up as:

        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://example.com/myca.crl
              URI:http://example.org/my.crl

A full example would start by creating a config file (e.g. example.cnf):

[req]
prompt = no
distinguished_name = dn

[dn]
countryName = gb
organizationName = Example
commonName = Example Web Server

[ext]

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
crlDistributionPoints = cdp1
subjectAltName = @alt_names

[cdp1]
fullname = URI:http://example.com/myca.crl, URI:http://example.org/my.crl

[alt_names]
DNS.1 = www.example.com
DNS.2 = www.example.org

Use the config to generate a Certificate Signing Request (CSR):

 openssl req -newkey rsa:2048 -keyout example.key  -nodes -config example.cnf -out example.csr

Note that the above creates a 2048-bit RSA key with no password protection. Remove the -nodes if you need to password protect the private key.

Have a CA sign the CSR generated above.