ssl-with-custom-ca-and-san.md

Create Root CA

Create Root Key

openssl genrsa -des3 -out rootCA.key 4096

Create and self sign the Root Certificate

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.

Create a certificate for server

This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA.

Create the certificate private key

openssl genrsa -out mydomain.com.key 2048

Create subjective alternative name (SAN) conf

mydomain.com.conf

[req]
prompt = no
req_extensions = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]
C = IN
ST = MUMBAI
L = MUMBAI
O = Siddhesh
OU = Siddhesh Inc
CN = app.localhost

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = app.localhost
DNS.2 = localhost
DNS.3 = *.localhost

Create the certificate signing request (csr)

openssl req -new -key mydomain.com.key -out mydomain.com.csr -config mydomain.com.conf

Verify the csr's contents

openssl req -in mydomain.com.csr -noout -text 

Generate the certificate using the mydomain csr and key along with the CA Root key

openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt  -extfile mydomain.com.conf -extensions v3_req -days 3650 -sha256

Verify the certificate's contents

openssl x509 -in mydomain.com.crt -text -noout

Sources

https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309 https://stackoverflow.com/questions/30977264/subject-alternative-name-not-present-in-certificate