Skip to content

Instantly share code, notes, and snippets.

@gvsrini
Forked from dasniko/create_x509_certs.md
Created October 5, 2023 04:34
Show Gist options
  • Save gvsrini/309c87a3e02048ae798d82a8308eed07 to your computer and use it in GitHub Desktop.
Save gvsrini/309c87a3e02048ae798d82a8308eed07 to your computer and use it in GitHub Desktop.
Creating self signed tls certificates with self-signed root CA

Create X.509 certificates

(Steps taken from: https://www.baeldung.com/x-509-authentication-in-spring-security)

All passwords: changeit

RootCA

openssl req -x509 -sha256 -days 3650 -newkey rsa:4096 -keyout rootCA.key -out rootCA.crt

Host certificate

openssl req -new -newkey rsa:4096 -keyout localhost.key -out localhost.csr -nodes

Sign host csr with rootCA (see below for file localhost.ext):

openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in localhost.csr -out localhost.crt -days 365 -CAcreateserial -extfile localhost.ext

Client (user) certificate

openssl req -new -newkey rsa:4096 -nodes -keyout fredFlintstone.key -out fredFlintstone.csr

Sign client csr with rootCA:

openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in fredFlintstone.csr -out fredFlintstone.crt -days 365 -CAcreateserial

Import client key and crt in keystore to create the "certificate" to be used in the browser:

openssl pkcs12 -export -out fredFlintstone.p12 -name "fredFlintstone" -inkey fredFlintstone.key -in fredFlintstone.crt
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment