Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
openssl genrsa -des3 -out rootCA.key 4096If you want a non password protected key just remove the -des3 option
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crtHere we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA
openssl genrsa -out mydomain.com.key 2048
The certificate signing request is where you specify the details for the certificate you want to generate. This request will be processed by the owner of the Root key (you in this case since you create it earlier) to generate the certificate.
Important: Please mind that while creating the signign request is important to specify the Common Name providing the IP address or domain name for the service, otherwise the certificate cannot be verified.
I will describe here three ways to genererate CSR:
If you generate the csr in this way, openssl will ask you questions about the certificate to generate like the organization details and the Common Name (CN) that is the web address you are creating the certificate for, e.g mydomain.com.
openssl req -new -key mydomain.com.key -out mydomain.com.csr
This method generates the same output as Method A but it's suitable for use in your automation :) .
openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" -out mydomain.com.csr
If you need to pass additional config you can use the -config parameter, here for example I want to add alternative names to my certificate.
openssl req -new -sha256 \
-key mydomain.com.key \
-subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \
-out mydomain.com.csr
This adds SAN to the request (which is the same as the SAN included in the certificate itself). Copy the following config into a file (the name "san.cnf" is used in later commands).
copy the following which adds SAN for a local IP address, and change it to your preference:
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = <change to you country's initials>
ST = <your state>
L = <your city>
O = <organization>
OU = <organization unit>
CN = <local ip, or host name which is resolvable through local dns>
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP=<your local ip>
if you want to use it with a local dns, change IP=... to
DNS.1=<your resolvable name through local DNS>
DNS.2=...
DNS.3=...
you get the idea.
then:
openssl req -new -sha256 -key mydomain.com.key -reqexts v3_req -config san.cnf -out mydomain.com.csr
Note that the 'v3_req' is defined in the config file.
openssl req -in mydomain.com.csr -noout -text
openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
or if you used a specific config file, use
openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -extfile san.conf -extensions v3_req -out mydomain.com.crt -days 500 -sha256
openssl x509 -in mydomain.com.crt -text -noout