- openssl genrsa -des3 -out rootCA.key 4096
- openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
openssl genrsa -out mydomain.com.key 2048
openssl req -new -key mydomain.com.key -out mydomain.com.csr
openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" -out mydomain.com.csr
openssl req -new -sha256 \
-key mydomain.com.key \
-subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \
-out mydomain.com.csr
openssl req -in mydomain.com.csr -noout -text
openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
openssl x509 -in mydomain.com.crt -text -noout
You can use -config option to pass SAN to openssl
Is there a way to inform openssl to ask for the SAN (Subject Alternative Name) when generating the CSR?
@qfan You will also need to pass the same config to the x509 command when you use the CSR, with -extfile certificate.conf -extensions req_ext. Took me a while to figure out.
This is actually a very important comment. If forgotten the subjectAltName with the IP address will be missing!
Thanks scipilot!
openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout ~/rootCA/private/<mysite>.key \ -subj "/C=<mycountry>/ST=None/L=<mycity>/O=None/CN=<mysite>" \ -out ~/rootCA/certs/<mysite>.csr cat v3.ext | sed s/%%DOMAIN%%/<mysite>/g > /tmp/_v3.ext openssl x509 -req -in ~/rootCA/certs/<mysite>.csr -CA ~/rootCA/certs/rootCA.pem \ -CAkey ~/rootCA/private/rootCA.key -CAcreateserial \ -out ~/rootCA/certs/<mysite>.crt -days 3650 -sha256 -extfile /tmp/_v3.ext
mkdir -p /usr/share/ca-certificates/extra cp ~/rootCA/certs/rootCA.pem /usr/share/ca-certificates/extra/rootCA.pem
openssl x509 -in /usr/share/ca-certificates/extra/rootCA.pem -inform PEM -out /usr/share/ca-certificates/extra/rootCA.crt dpkg-reconfigure ca-certificates