Create CA cert
1. Create the ca root key
openssl genrsa -out rootCA.key 2048
1b. create the ca root key with password protection
openssl genrsa -des3 -out rootCA.key 2048
2. self sign the ca root cert
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
Create a normal ssl cert
1. create a private key
openssl genrsa -out server.key 2048
2. create csr
openssl req -new -key server.key -out server.csr
3. sign the cert using the ca
openssl x509 -req -in server.csr -CA root.pem -CAkey root.key -CAcreateserial -out server.crt -days 500
3b. self sign the cert without using ca
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Create a normal version 3 ssl cert with subject alternative name
1. create a private key
openssl genrsa -out server.key 2048
2. copy the default openssl.cnf file and add/modify the following:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kb.example.com
DNS.2 = helpdesk.example.org
DNS.3 = systems.example.net
IP.1 = 192.168.1.1
IP.2 = 192.168.69.14
3. create the csr
openssl req -new -out server.csr -key server.key -config openssl.cnf
4. sign the cert using the ca
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -extensions v3_req -extfile openssl.cnf
4b. self sign the cert without using ca
openssl x509 -req -days 3650 -in server.csr -signkey server.key
-out server.crt-extensions v3_req -extfile openssl.cnf
Display the ssl cert info
openssl x509 -in server.crt -noout -text
or
openssl x509 -in server.crt -text