These commands are needed every time you want to generate a new certificate signing request to give to an authority in order for them to generate and sign a certificate for you.
I constantly forget how this stuff works so I collected the most important ones here for easy copy & paste.
There is good information available on https://www.h2check.org/deploy, and they also go into detail on HTTP/2.
This is unencrypted and must be kept private.
$ openssl genrsa -out example.com.key 2048
$ openssl req -new -sha256 -key example.com.key -out example.com.csr
$ openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
This allows you to check the information enclosed in a CSR.
$ openssl req -noout -text -in example.com.csr
http://blog.ivanristic.com/2013/06/ssl-labs-deploying-forward-secrecy.html
$ openssl dhparam -out dhparam.pem 2048
Use this to test SSL config on localhost but realize that these certs will not be trusted by browsers.
$ openssl req -x509 -newkey rsa:2048 -keyout example.com.key -out example.com.crt -days 365 -nodes
-nodes
means that the private key will be unencrypted.
For generating CSRs check out my
genSAN.sh
script (it supports subject alternative names) -> https://github.com/samrocketman/home/blob/master/bin/genSAN.shInstead of self signed carts check out managing your own certificate authority -> https://github.com/samrocketman/my_internal_ca