CA Key erstellen:
openssl genrsa -aes256 -out ca-key.pem 4096
CA erstellen:
openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 3650 -out ca-root.pem -sha512 -subj '/C=DE/ST=Hessen/L=Heusenstamm/O=OnkelDom/OU=Ops/CN=onkeldom.lan/emailAddress=certs@onkeldom.eu'
Debian, Ubuntu
sudo openssl x509 -outform der -in ca-root.pem -out ca-root.crt
sudo cp ca-root.crt /usr/share/ca-certificates/ca-root.crt
sudo dpkg-reconfigure ca-certificates
CentOS, Fedora
sudo cp ca-root.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
You need the subject alternative name field for Google Chrome browser. See https://www.chromestatus.com/features/4981025180483584
Generate private key without password
openssl genrsa -out cert-key.pem 4096
Generate certificate for single host
openssl req -new -subj '/C=DE/ST=Hessen/L=Heusenstamm/O=OnkelDom/OU=Ops/CN=unifi.infra.onkeldom.lan/emailAddress=certs@onkeldom.eu' -key cert-key.pem -out unifi.infra.onkeldom.lan.csr -sha512
openssl x509 -req -in unifi.infra.onkeldom.lan.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out unifi.infra.onkeldom.lan.pem -days 365 -sha512 -extfile <(printf "subjectAltName=DNS:unifi.infra.onkeldom.lan")
# you can add more subjectAltName with -extfile <(printf "subjectAltName=DNS:unifi.infra.onkeldom.lan,DNS:www.unifi.infra.onkeldom.lan")
Generate wildcard certificates
# CN = *.infra.onkeldom.lan
openssl req -new -subj '/C=DE/ST=Hessen/L=Heusenstamm/O=OnkelDom/OU=Ops/CN=*.infra.onkeldom.lan/emailAddress=certs@onkeldom.eu' -key cert-key.pem -out infra.onkeldom.lan.csr -sha512
openssl x509 -req -in infra.onkeldom.lan.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out infra.onkeldom.lan.pem -days 365 -sha512 -extfile <(printf "subjectAltName=DNS:*.infra.onkeldom.lan")
# CN = *.mgmt.onkeldom.lan
openssl req -new -subj '/C=DE/ST=Hessen/L=Heusenstamm/O=OnkelDom/OU=Ops/CN=*.mgmt.onkeldom.lan/emailAddress=certs@onkeldom.eu' -key cert-key.pem -out mgmt.onkeldom.lan.csr -sha512
openssl x509 -req -in mgmt.onkeldom.lan.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out mgmt.onkeldom.lan.pem -days 365 -sha512 -extfile <(printf "subjectAltName=DNS:*.mgmt.onkeldom.lan")
# CN = *.pub.onkeldom.lan
openssl req -new -subj '/C=DE/ST=Hessen/L=Heusenstamm/O=OnkelDom/OU=Ops/CN=*.pub.onkeldom.lan/emailAddress=certs@onkeldom.eu' -key cert-key.pem -out pub.onkeldom.lan.csr -sha512
openssl x509 -req -in pub.onkeldom.lan.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out pub.onkeldom.lan.pem -days 365 -sha512 -extfile <(printf "subjectAltName=DNS:*.pub.onkeldom.lan")
# CN = *.onkeldom.lan
openssl req -new -subj '/C=DE/ST=Hessen/L=Heusenstamm/O=OnkelDom/OU=Ops/CN=onkeldom.lan/emailAddress=certs@onkeldom.eu' -key cert-key.pem -out onkeldom.lan.csr -sha512
openssl x509 -req -in onkeldom.lan.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out onkeldom.lan.pem -days 365 -sha512 -extfile <(printf "subjectAltName=DNS:onkeldom.lan,DNS:*.onkeldom.lan")