Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Self Signed Certificate with Custom Root CA

Create Root CA (Done once)

Create Root Key

Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!

openssl genrsa -des3 -out rootCA.key 4096

If you want a non password protected key just remove the -des3 option

Create and self sign the Root Certificate

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.

Create a certificate (Done for each server)

This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA

Create the certificate key

openssl genrsa -out mydomain.com.key 2048

Create the signing (csr)

The certificate signing request is where you specify the details for the certificate you want to generate. This request will be processed by the owner of the Root key (you in this case since you create it earlier) to generate the certificate.

Important: Please mind that while creating the signign request is important to specify the Common Name providing the IP address or domain name for the service, otherwise the certificate cannot be verified.

I will describe here two ways to gener

Method A (Interactive)

If you generate the csr in this way, openssl will ask you questions about the certificate to generate like the organization details and the Common Name (CN) that is the web address you are creating the certificate for, e.g mydomain.com.

openssl req -new -key mydomain.com.key -out mydomain.com.csr

Method B (One Liner)

This method generates the same output as Method A but it's suitable for use in your automation :) .

openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" -out mydomain.com.csr

If you need to pass additional config you can use the -config parameter, here for example I want to add alternative names to my certificate.

openssl req -new -sha256 \
    -key mydomain.com.key \
    -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" \
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \
    -out mydomain.com.csr

Verify the csr's content

openssl req -in mydomain.com.csr -noout -text

Generate the certificate using the mydomain csr and key along with the CA Root key

openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256

Verify the certificate's content

openssl x509 -in mydomain.com.crt -text -noout
@dthrash

This comment has been minimized.

Show comment
Hide comment
@dthrash

dthrash Mar 1, 2018

How does the private key fit in here? Doesn't the pem file need to be generated too?

dthrash commented Mar 1, 2018

How does the private key fit in here? Doesn't the pem file need to be generated too?

@fxpires

This comment has been minimized.

Show comment
Hide comment
@fxpires

fxpires Mar 6, 2018

The files with ".key" extension are the private keys.

fxpires commented Mar 6, 2018

The files with ".key" extension are the private keys.

@qfan

This comment has been minimized.

Show comment
Hide comment
@qfan

qfan Apr 23, 2018

Is there a way to inform openssl to ask for the SAN (Subject Alternative Name) when generating the CSR?

qfan commented Apr 23, 2018

Is there a way to inform openssl to ask for the SAN (Subject Alternative Name) when generating the CSR?

@kalloa

This comment has been minimized.

Show comment
Hide comment
@kalloa

kalloa May 12, 2018

@qfan You can use -config option to pass SAN to openssl
openssl req -new -key mydomain.com.key -out mydomain.com.csr -config certificate.conf
this is an example of certificate.conf

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C = HU
ST = Budapest
L = Budapest
O = ACME
OU = ACME Inc
emailAddress = kalloa@example.com
CN = example.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com

kalloa commented May 12, 2018

@qfan You can use -config option to pass SAN to openssl
openssl req -new -key mydomain.com.key -out mydomain.com.csr -config certificate.conf
this is an example of certificate.conf

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C = HU
ST = Budapest
L = Budapest
O = ACME
OU = ACME Inc
emailAddress = kalloa@example.com
CN = example.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com

@jkpaye

This comment has been minimized.

Show comment
Hide comment
@jkpaye

jkpaye May 31, 2018

Suggest you change the encryption from triple des to something stronger.

jkpaye commented May 31, 2018

Suggest you change the encryption from triple des to something stronger.

@scipilot

This comment has been minimized.

Show comment
Hide comment
@scipilot

scipilot Jun 11, 2018

@qfan You will also need to pass the same config to the x509 command when you use the CSR, with -extfile certificate.conf -extensions req_ext. Took me a while to figure out.

@qfan You will also need to pass the same config to the x509 command when you use the CSR, with -extfile certificate.conf -extensions req_ext. Took me a while to figure out.

@Fermec28

This comment has been minimized.

Show comment
Hide comment
@Fermec28

Fermec28 Jun 25, 2018

can I Generate the certificate using the third-domain csr and key along with the CA mydomain key ?
Root
mydomain
third-domain

can I Generate the certificate using the third-domain csr and key along with the CA mydomain key ?
Root
mydomain
third-domain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment