openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA.
openssl genrsa -out mydomain.com.key 2048
mydomain.com.conf
[req]
prompt = no
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
C = IN
ST = MUMBAI
L = MUMBAI
O = Siddhesh
OU = Siddhesh Inc
CN = app.localhost
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = app.localhost
DNS.2 = localhost
DNS.3 = *.localhost
openssl req -new -key mydomain.com.key -out mydomain.com.csr -config mydomain.com.conf
openssl req -in mydomain.com.csr -noout -text
openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -extfile mydomain.com.conf -extensions v3_req -days 3650 -sha256
openssl x509 -in mydomain.com.crt -text -noout
https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309 https://stackoverflow.com/questions/30977264/subject-alternative-name-not-present-in-certificate