diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index 6d53d244d..00ff4ae30 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -32,6 +32,7 @@ var acme = require('./cert/acme.js'),
     caas = require('./cert/caas.js'),
     config = require('./config.js'),
     constants = require('./constants.js'),
+    crypto = require('crypto'),
     debug = require('debug')('box:certificates'),
     domains = require('./domains.js'),
     ejs = require('ejs'),
@@ -39,12 +40,12 @@ var acme = require('./cert/acme.js'),
     fallback = require('./cert/fallback.js'),
     fs = require('fs'),
     mailer = require('./mailer.js'),
+    os = require('os'),
     path = require('path'),
     paths = require('./paths.js'),
     platform = require('./platform.js'),
     safe = require('safetydance'),
     shell = require('./shell.js'),
-    tld = require('tldjs'),
     user = require('./user.js'),
     util = require('util');
 
@@ -186,8 +187,13 @@ function setFallbackCertificate(domain, fallback, callback) {
         if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${domain}.host.cert`), fallback.cert)) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, safe.error.message));
         if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${domain}.host.key`), fallback.key)) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, safe.error.message));
     } else if (!fs.existsSync(certFilePath) || !fs.existsSync(keyFilePath)) { // generate it
-        var certCommand = util.format('openssl req -x509 -newkey rsa:2048 -keyout %s -out %s -days 3650 -subj /CN=*.%s -nodes', keyFilePath, certFilePath, domain);
+        let opensslConf = safe.fs.readFileSync('/etc/ssl/openssl.cnf', 'utf8');
+        let opensslConfWithSan = `${opensslConf}\n[SAN]\nsubjectAltName=DNS:${domain}\n`;
+        let configFile = path.join(os.tmpdir(), 'openssl-' + crypto.randomBytes(4).readUInt32LE(0) + '.conf');
+        safe.fs.writeFileSync(configFile, opensslConfWithSan, 'utf8');
+        let certCommand = util.format(`openssl req -x509 -newkey rsa:2048 -keyout ${keyFilePath} -out ${certFilePath} -days 3650 -subj /CN=*.${domain} -extensions SAN -config ${configFile} -nodes`);
         if (!safe.child_process.execSync(certCommand)) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, safe.error.message));
+        safe.fs.unlinkSync(configFile);
     }
 
     platform.handleCertChanged('*.' + domain);
diff --git a/src/routes/test/domains-test.js b/src/routes/test/domains-test.js
index b55b0e83d..79f19cce3 100644
--- a/src/routes/test/domains-test.js
+++ b/src/routes/test/domains-test.js
@@ -318,7 +318,7 @@ describe('Domains API', function () {
                 });
         });
 
-        xit('cannot set certificate with cert not being a string', function (done) {
+        it('cannot set certificate with cert not being a string', function (done) {
             var d = _.extend({}, DOMAIN_0);
             d.fallbackCertificate = { cert: 1234, key: validKey1 };
 
diff --git a/src/test/setupTest b/src/test/setupTest
index 20366ac06..df1ebd526 100755
--- a/src/test/setupTest
+++ b/src/test/setupTest
@@ -16,7 +16,7 @@ mkdir -p boxdata/appicons boxdata/mail boxdata/certs boxdata/mail/dkim/localhost
 mkdir -p platformdata/addons/mail platformdata/nginx/cert platformdata/nginx/applications platformdata/collectd/collectd.conf.d platformdata/addons platformdata/logrotate.d platformdata/backup
 
 # put cert
-openssl req -x509 -newkey rsa:2048 -keyout platformdata/nginx/cert/host.key -out platformdata/nginx/cert/host.cert -days 3650 -subj '/CN=localhost' -nodes
+openssl req -x509 -newkey rsa:2048 -keyout platformdata/nginx/cert/host.key -out platformdata/nginx/cert/host.cert -days 3650 -subj '/CN=localhost' -nodes -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.localhost"))
 
 # create docker network (while the infra code does this, most tests skip infra setup)
 docker network create --subnet=172.18.0.0/16 cloudron || true