Creating a CA ROot

  • openssl genrsa -des3 -out rootCA.key 4096
  • openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
  • openssl genrsa -out mydomain.com.key 2048
  • openssl req -new -key mydomain.com.key -out mydomain.com.csr
  • openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" -out mydomain.com.csr
openssl req -new -sha256 \
    -key mydomain.com.key \
    -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" \
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \
    -out mydomain.com.csr
  • openssl req -in mydomain.com.csr -noout -text
  • openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
  • openssl x509 -in mydomain.com.crt -text -noout

You can use -config option to pass SAN to openssl

Is there a way to inform openssl to ask for the SAN (Subject Alternative Name) when generating the CSR?

@qfan You will also need to pass the same config to the x509 command when you use the CSR, with -extfile certificate.conf -extensions req_ext. Took me a while to figure out.

This is actually a very important comment. If forgotten the subjectAltName with the IP address will be missing!
Thanks scipilot!

openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout ~/rootCA/private/<mysite>.key \
            -subj "/C=<mycountry>/ST=None/L=<mycity>/O=None/CN=<mysite>" \
            -out ~/rootCA/certs/<mysite>.csr
cat v3.ext | sed s/%%DOMAIN%%/<mysite>/g > /tmp/_v3.ext
openssl x509 -req -in ~/rootCA/certs/<mysite>.csr -CA ~/rootCA/certs/rootCA.pem \
            -CAkey ~/rootCA/private/rootCA.key -CAcreateserial \
            -out ~/rootCA/certs/<mysite>.crt -days 3650 -sha256 -extfile /tmp/_v3.ext
mkdir -p /usr/share/ca-certificates/extra
cp ~/rootCA/certs/rootCA.pem /usr/share/ca-certificates/extra/rootCA.pem
openssl x509 -in /usr/share/ca-certificates/extra/rootCA.pem -inform PEM -out /usr/share/ca-certificates/extra/rootCA.crt
dpkg-reconfigure ca-certificates