Use this configuration with OpenSSL. You may add real IP and DNS SAN´s (Subject Alternative Name) below under [ alt_names ]
.
cat <<EOF > openssl.conf
[ req ]
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
[ v3_req_server ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = example.com
DNS.2 = foo.bar.com
IP.1 = 127.0.0.1
IP.2 = 10.32.0.91
EOF
The root certificate authority is typically self-signed and will be used to issue certificates for intermediate certificate authorities.
openssl genrsa -out root-ca-key.pem 2048
The root certificate is self-signed
openssl req \
-x509 \
-new -sha256 \
-nodes \
-key root-ca-key.pem \
-days 1826 \
-out root-ca.pem \
-subj '/CN=root-ca/C=SE/L=Gothenburg/O=amimof/' \
-extensions v3_ca \
-config openssl.conf
The intermediate CA can be used to issue certificates used by servers and clients and is signed by the root CA.
openssl genrsa -out intermediate-ca-key.pem 2048
openssl req \
-new \
-sha256 \
-key intermediate-ca-key.pem \
-subj '/CN=intermediate-ca/C=SE/L=Gothenburg/O=amimof/' \
-out intermediate-ca.csr
openssl x509 \
-req \
-sha256 \
-CA root-ca.pem \
-CAkey root-ca-key.pem \
-CAcreateserial \
-out intermediate-ca.pem \
-days 1826 \
-extensions v3_ca \
-in intermediate-ca.csr \
-extfile openssl.conf
These certificates are used by servers, clients, applications and are issued by the intermediate CA
openssl genrsa -out server-key.pem 2048
openssl req \
-new \
-sha256 \
-key server-key.pem \
-subj '/CN=example.com/C=SE/L=Gothenburg/O=amimof/' \
-out server.csr
openssl x509 \
-req \
-sha256 \
-CA intermediate-ca.pem \
-CAkey intermediate-ca-key.pem \
-CAcreateserial \
-out server.pem \
-days 1826 \
-extensions v3_req_server \
-in server.csr \
-extfile openssl.conf
openssl x509 -in root-ca.pem -text -noout
openssl x509 -in intermediate-ca.pem -text -noout
openssl x509 -in server.pem -text -noout