Skip to content

Instantly share code, notes, and snippets.

@eshleebien

eshleebien/create-self-signed-ca-and-certificate.md

Last active May 28, 2020 11:10
Show Gist options
  • Save eshleebien/a9a6bdaa40af842e33b1b86b534f2e10 to your computer and use it in GitHub Desktop.
Save eshleebien/a9a6bdaa40af842e33b1b86b534f2e10 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
create-self-signed-ca-and-certificate.md

Become a Certificate Authority

Create config

>crt.cfg cat <<-EOF
RANDFILE = NV::HOME/.rnd
[ req ]
default_bits = 2048
default_keyfile = ca.key
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
C = JP
ST = Tokyo
L = Tokyo
O = <O>
OU = <OU>
CN= <your-domain>
emailAddress = <email>
EOF

Generate private key

$ openssl genrsa -des3 -out ca.key 2048

Generate root certificate

openssl req -x509 -new -nodes -key ca.key -sha256 -days 825  -config crt.cfg -out ca.pem

Create CA-signed certs

$ NAME=mydomain.com # Use your own domain name

# Generate a private key
$ openssl genrsa -out $NAME.key 2048

# Create a certificate-signing request
$ openssl req -new -key $NAME.key -config crt.cfg -out $NAME.csr

# Create a config file for the extensions
$ >$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
DNS.2 = bar.$NAME # Optionally, add additional domains (I've added a subdomain here)
IP.1 = 192.168.0.13 # Optionally, add an IP address (if the connection which you have planned requires it)
EOF

# Create the signed certificate
$ openssl x509 -req -in $NAME.csr -CA ca.pem -CAkey ca.key -CAcreateserial \
-out $NAME.crt -days 825 -sha256 -extfile $NAME.ext
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment