The Let's Encrypt website covers this topic in depth. Using the right config values is key. openssl
simplifies the cert creation.
echo -n "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth" > /tmp/ssl-config
openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout /etc/ssl/server.key -out /etc/ssl/server.crt -subj '/CN=localhost' -extensions EXT -config /tmp/ssl-config
Note: We create a temporary config file to use as the -conf
parameter instead of using process substitution (-conf <(...)
) because of better compatibility.