{"id":2596,"date":"2019-06-30T19:45:48","date_gmt":"2019-06-30T23:45:48","guid":{"rendered":"http:\/\/ninecrows.com\/career\/?page_id=2596"},"modified":"2019-06-30T19:45:48","modified_gmt":"2019-06-30T23:45:48","slug":"creating-a-ca-root","status":"publish","type":"page","link":"https:\/\/ninecrows.com\/career\/creating-a-ca-root\/","title":{"rendered":"Creating a CA ROot"},"content":{"rendered":"\n<ul class=\"wp-block-list\"><li>openssl genrsa -des3 -out rootCA.key 4096<\/li><li>openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt<\/li><li><code>openssl genrsa -out mydomain.com.key 2048<\/code><\/li><li><code>openssl req -new -key mydomain.com.key -out mydomain.com.csr<\/code><\/li><li><code>openssl req -new -sha256 -key mydomain.com.key -subj \"\/C=US\/ST=CA\/O=MyOrg, Inc.\/CN=mydomain.com\" -out mydomain.com.csr<\/code><\/li><li><\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl req -new -sha256 \\\n    -key mydomain.com.key \\\n    -subj \"\/C=US\/ST=CA\/O=MyOrg, Inc.\/CN=mydomain.com\" \\\n    -reqexts SAN \\\n    -config &lt;(cat \/etc\/ssl\/openssl.cnf \\\n        &lt;(printf \"\\n[SAN]\\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com\")) \\\n    -out mydomain.com.csr<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li><code>openssl req -in mydomain.com.csr -noout -text<\/code><\/li><li><code>openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256<\/code><\/li><li><code>openssl x509 -in mydomain.com.crt -text -noout<\/code><\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p>\n\nYou can use -config option to pass SAN to openssl\n\n<\/p>\n\n\n\n<p> Is there a way to inform openssl to ask for the SAN (Subject Alternative Name) when generating the CSR? <\/p>\n\n\n\n<p>@qfan You will also need to pass the same config to the x509 command when you use the CSR, with -extfile certificate.conf -extensions req_ext. Took me a while to figure out.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>This is actually a very important comment. If forgotten the subjectAltName with the IP address will be missing!<br> Thanks scipilot!<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout ~\/rootCA\/private\/&lt;mysite&gt;.key \\\n            -subj \"\/C=&lt;mycountry&gt;\/ST=None\/L=&lt;mycity&gt;\/O=None\/CN=&lt;mysite&gt;\" \\\n            -out ~\/rootCA\/certs\/&lt;mysite&gt;.csr\ncat v3.ext | sed s\/%%DOMAIN%%\/&lt;mysite&gt;\/g &gt; \/tmp\/_v3.ext\nopenssl x509 -req -in ~\/rootCA\/certs\/&lt;mysite&gt;.csr -CA ~\/rootCA\/certs\/rootCA.pem \\\n            -CAkey ~\/rootCA\/private\/rootCA.key -CAcreateserial \\\n            -out ~\/rootCA\/certs\/&lt;mysite&gt;.crt -days 3650 -sha256 -extfile \/tmp\/_v3.ext<\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li><\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">mkdir -p \/usr\/share\/ca-certificates\/extra\ncp ~\/rootCA\/certs\/rootCA.pem \/usr\/share\/ca-certificates\/extra\/rootCA.pem<\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li><\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">openssl x509 -in \/usr\/share\/ca-certificates\/extra\/rootCA.pem -inform PEM -out \/usr\/share\/ca-certificates\/extra\/rootCA.crt\ndpkg-reconfigure ca-certificates\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>openssl genrsa -des3 -out rootCA.key 4096 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt openssl genrsa -out mydomain.com.key 2048 openssl req -new -key mydomain.com.key -out mydomain.com.csr openssl req -new -sha256 -key mydomain.com.key -subj &#8220;\/C=US\/ST=CA\/O=MyOrg, Inc.\/CN=mydomain.com&#8221; -out mydomain.com.csr openssl req -in mydomain.com.csr -noout -text openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey &hellip; <a href=\"https:\/\/ninecrows.com\/career\/creating-a-ca-root\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Creating a CA ROot<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"class_list":["post-2596","page","type-page","status-publish","hentry"],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/P7F2Qc-FS","jetpack-related-posts":[],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/ninecrows.com\/career\/wp-json\/wp\/v2\/pages\/2596"}],"collection":[{"href":"https:\/\/ninecrows.com\/career\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/ninecrows.com\/career\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/ninecrows.com\/career\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ninecrows.com\/career\/wp-json\/wp\/v2\/comments?post=2596"}],"version-history":[{"count":1,"href":"https:\/\/ninecrows.com\/career\/wp-json\/wp\/v2\/pages\/2596\/revisions"}],"predecessor-version":[{"id":2598,"href":"https:\/\/ninecrows.com\/career\/wp-json\/wp\/v2\/pages\/2596\/revisions\/2598"}],"wp:attachment":[{"href":"https:\/\/ninecrows.com\/career\/wp-json\/wp\/v2\/media?parent=2596"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}