1 Create CA
openssl genrsa -out rootCA_key.key 2048.
-des3 algorithm to encrypt the key and will require you to enter a password in order for the key file to be created.
1.2 Create Root CA cert with constraint CA = true.
openssl req -x509 -new -nodes -key rootCA_key.key -sha256 -days 1024 -out rootCA_crt.pem \
-extensions v3_ca -reqexts v3_req -config /usr/local/etc/openssl/openssl.cnf
2.1 Create file named v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = domain1.com <--- should be same as subject name
DNS.2 = domain2.dev
IP.3 = X.X.X.X
2.2 Create CSR openssl req -new -nodes -out server_csr.csr -newkey rsa:2048 -keyout server_key.key
2.3 Issue crt with Root CA openssl x509 -req -in server_csr.csr -CA rootCA_crt.pem -CAkey rootCA_key.key -CAcreateserial -out server_crt.crt -days 500 -sha256 -extfile v3.ext
MISC:
- pem to crt openssl x509 -outform der -in rootCA_crt.pem -out rootCA_crt.crt
- key to pem openssl rsa -in server.key -text > private.pem
- der to crt openssl x509 -in burp_cacert.der -inform DER -out burp_mycert.crt
This is been borrowed from below and modified to my use specific use case (IP in SAN, constraint CA = true )
cert-manager/cert-manager#279
https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15
https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key