Generate a valid SSL certificate with public/private key for wildcard domains (compatible with IIS) - 2017
Open a text editor and paste the following configuration. Save it and name it config.txt.
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CH
ST = VD
L = Lausanne
O = Company
OU = Department
CN = *.domain.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.domain.com
where
- CN = commonName (for example, “CN=My Root CA”)
- OU = organizationalUnitName (for example, “OU=Dev”)
- O = organizationName (for example, “O=Jayway”)
- L = localityName (for example, “L=San Francisco”)
- S = stateOrProvinceName (for example, “S=CA”)
- C = countryName (for example, “C=US”)
As a reminder:
.pem Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. The name is from Privacy Enhanced Email, a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys. .cert .cer .crt A .pem formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not. More information about the Certificate signing request.
In the case of the following command, the public and private keys are stored in the .pem file.
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout cert.pem -out cert.pem -config config.txt
As a reminder:
.pkcs12 .pfx .p12 Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys.
openssl pkcs12 -export -out cert.pfx -in cert.pem -name "*.domain.com" -passout pass:mypassword
If the purpose of this certificat is to be recognized in your browser, you need to configure your local store to validate the self signed certificate. In Windows, open a mmc and plug the Certificates component (don't forget to plug the snap-in in Computer account). Add the certificate to Trusted Root Certification Authorities.
- http://andyarismendi.blogspot.ch/2011/09/creating-certificates-with-sans-using.html
- https://blog.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/
- https://www.quora.com/Digital-Certificates-What-is-the-difference-between-usecase-for-pem-pfx-fp-cer-crt-etc-files-and-how-can-they-be-converted-to-one-another