--- /usr/src/libexec/rc/rc.d/sendmail	2019-02-27 10:27:22.161815000 +0100
+++ /etc/rc.d/sendmail	2021-10-11 18:27:48.919444000 +0200
@@ -126,6 +126,18 @@
 		basicConstraints = CA:true
 	OPENSSL_CNF
 
+	# handle subject alternative names, DNS only
+	if [ -n "${sendmail_san_list}" ]; then
+		for d in ${sendmail_san_list}; do
+			if [ -z "${_sendmail_san_list}" ]; then
+				export _sendmail_san_list="DNS:${d}"
+			else
+				_sendmail_san_list="${_sendmail_san_list},DNS:${d}"
+			fi
+		done
+		sendmail_san_list='-addext subjectAltName=${ENV::_sendmail_san_list}'
+	fi
+
 	# though we use a password, the key is discarded and never used
 	openssl req -batch -passout pass:"$certpass" -new -x509 \
 	    -keyout cakey.pem -out cacert.pem -days 3650 \
@@ -134,7 +146,7 @@
 	# make new certificate
 	openssl req -batch -nodes -new -x509 -keyout newkey.pem \
 	    -out newreq.pem -days 365 -config openssl.cnf \
-	    -newkey rsa:2048 >/dev/null 2>&1 &&
+	    -newkey rsa:2048 ${sendmail_san_list} >/dev/null 2>&1 &&
 
 	# sign certificate
 	openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \