Creating a CA ROot

  • openssl genrsa -des3 -out rootCA.key 4096
  • openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
  • openssl genrsa -out 2048
  • openssl req -new -key -out
  • openssl req -new -sha256 -key -subj "/C=US/ST=CA/O=MyOrg, Inc./" -out
openssl req -new -sha256 \
    -key \
    -subj "/C=US/ST=CA/O=MyOrg, Inc./" \
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\,")) \
  • openssl req -in -noout -text
  • openssl x509 -req -in -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out -days 500 -sha256
  • openssl x509 -in -text -noout

You can use -config option to pass SAN to openssl

Is there a way to inform openssl to ask for the SAN (Subject Alternative Name) when generating the CSR?

@qfan You will also need to pass the same config to the x509 command when you use the CSR, with -extfile certificate.conf -extensions req_ext. Took me a while to figure out.

This is actually a very important comment. If forgotten the subjectAltName with the IP address will be missing!
Thanks scipilot!

openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout ~/rootCA/private/<mysite>.key \
            -subj "/C=<mycountry>/ST=None/L=<mycity>/O=None/CN=<mysite>" \
            -out ~/rootCA/certs/<mysite>.csr
cat v3.ext | sed s/%%DOMAIN%%/<mysite>/g > /tmp/_v3.ext
openssl x509 -req -in ~/rootCA/certs/<mysite>.csr -CA ~/rootCA/certs/rootCA.pem \
            -CAkey ~/rootCA/private/rootCA.key -CAcreateserial \
            -out ~/rootCA/certs/<mysite>.crt -days 3650 -sha256 -extfile /tmp/_v3.ext
mkdir -p /usr/share/ca-certificates/extra
cp ~/rootCA/certs/rootCA.pem /usr/share/ca-certificates/extra/rootCA.pem
openssl x509 -in /usr/share/ca-certificates/extra/rootCA.pem -inform PEM -out /usr/share/ca-certificates/extra/rootCA.crt
dpkg-reconfigure ca-certificates