diff --git a/acme/crypto_util.py b/acme/crypto_util.py
index 4b58db328..8e7bd4449 100644
--- a/acme/crypto_util.py
+++ b/acme/crypto_util.py
@@ -6,6 +6,10 @@ import os
 import re
 import socket
 
+from cryptography import x509
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.x509.oid import AttributeOID, NameOID
 import josepy as jose
 from OpenSSL import crypto
 from OpenSSL import SSL  # type: ignore # https://github.com/python/typeshed/issues/2052
@@ -199,24 +203,32 @@ def make_csr(private_key_pem, domains, must_staple=False):
     private_key = crypto.load_privatekey(
         crypto.FILETYPE_PEM, private_key_pem)
     csr = crypto.X509Req()
-    extensions = [
-        crypto.X509Extension(
-            b'subjectAltName',
-            critical=False,
-            value=', '.join('DNS:' + d for d in domains).encode('ascii')
-        ),
-    ]
+    builder = x509.CertificateSigningRequestBuilder()
+    #extensions = [
+    #    crypto.X509Extension(
+    #        b'subjectAltName',
+    #        critical=False,
+    #        value=', '.join('DNS:' + d for d in domains).encode('ascii')
+    #    ),
+    #]
+    sanlist = []
+    for address in domains:
+        sanlist.append(x509.DNSName(address))
+    builder = builder.subject_name(x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, sanlist[0].value)]))
+    builder = builder.add_extension(x509.SubjectAlternativeName(sanlist), critical=False)
     if must_staple:
-        extensions.append(crypto.X509Extension(
-            b"1.3.6.1.5.5.7.1.24",
-            critical=False,
-            value=b"DER:30:03:02:01:05"))
-    csr.add_extensions(extensions)
-    csr.set_pubkey(private_key)
-    csr.set_version(2)
-    csr.sign(private_key, 'sha256')
+        builder.add_extension(x509.TLSFeature([x509.TLSFeatureType.status_request]), critical=False)
+    #    extensions.append(crypto.X509Extension(
+    #        b"1.3.6.1.5.5.7.1.24",
+    #        critical=False,
+    #        value=b"DER:30:03:02:01:05"))
+    #csr.add_extensions(extensions)
+    #csr.set_pubkey(private_key)
+    #csr.set_version(2)
+    #csr.sign(private_key, 'sha256')
+    crypto_csr = builder.sign(private_key.to_cryptography_key(), hashes.SHA256())
     return crypto.dump_certificate_request(
-        crypto.FILETYPE_PEM, csr)
+        crypto.FILETYPE_PEM, csr.from_cryptography(crypto_csr))
 
 
 def _pyopenssl_cert_or_req_all_names(loaded_cert_or_req):