This guide will be helpful if you want to issue SSL certificates for your server and clients, and use them on devices without bothering with browser security warnings.
When following the guide, you'll get the output files with .crt, .key and .csr extensions,
while in other OpenSSL guides you may find command examples using .pem files.
Don't worry, the file contents is the same: server.crt = server-cert.pem, ca.key = ca-key.pem and so on.
Requirements:
- OpenSSL >= 1.1.1
Command:
openssl genrsa 2048 > ca.keyResult: The ca.key file containing an RSA 2048 private key of your Certificate Authority.
Command:
openssl req -new -x509 -nodes -days 365000 \
-key ca.key \
-out ca.crtYou can set any desired certificate validity duration by changing the -days value.
During the command execution, enter meaningful data to the Organization name prompt,
otherwise it will be difficult to distinguish your certificate from other's.
Result: The ca.crt file containing a self-signed CA certificate.
Command:
openssl req -newkey rsa:2048 -nodes -days 365000 \
-keyout server.key \
-out server.csrDuring the command execution, enter meaningful data to the Organization name prompt,
otherwise it will be difficult to distinguish your certificate from other's.
You also must enter your server primary domain/IP to the Common name prompt.
This may be example.com, 10.0.0.101, localhost, etc.
Result: The server.key file containing an RSA 2048 private key of your server,
the server.csr file containing a certificate signing request for the CA.
In order for modern browsers to accept your certificate, you have to include
alternative names into it, even if there is only one you set as the Common name.
Create a file called server-alt-names.cnf and fill it with the configuration as in the following example:
[alt_names]
subjectAltName = IP:127.0.0.1, IP:10.0.0.125, DNS:localhost
To add an IP address, use the IP: prefix. To add a hostname, use the DNS: prefix.
Values must be separated by a comma.
Now issue the server certificate signed by your Certificate authority.
Command:
openssl x509 -req -days 365000 -set_serial 01 \
-in server.csr \
-out server.crt \
-CA ca.crt \
-CAkey ca.key \
-extensions alt_names -extfile ./server-alt-names.cnfYou can set any desired certificate validity duration by changing the -days value.
Result: The server.crt file containing the server certificate signed by the CA.
Command:
openssl req -newkey rsa:2048 -nodes -days 365000 \
-keyout client.key \
-out client.csr
openssl x509 -req -days 365000 -set_serial 01 \
-in client.csr \
-out client.crt \
-CA ca.crt \
-CAkey ca.keyYou can set any desired certificate validity duration by changing the -days value.
During the command execution, enter meaningful data to the Organization name prompt,
otherwise it will be difficult to distinguish your certificate from other's.
Result: The client.key file containing an RSA 2048 private key of your client,
the client.crt file containing the corresponding certificate.
Execute the following commands to confirm the certificates has been issued correctly.
Veritfy the server certificate:
openssl verify -CAfile ca.crt \
ca.crt \
server.crtResult: The command output is expected to be the following: ca.crt: OK server.crt: OK
Verify the server certificate alternative names:
openssl x509 -in server.crt -text -noout | grep -A1 "Alternative Name"Result: The command output is expected to list the alternative names you specified in the server-alt-names.cnf file.
Verify the client certificate, if generated:
openssl verify -CAfile ca.crt \
ca.crt \
client.crtResult: The command output is expected to be the following: ca.crt: OK client.crt: OK