Skip to content

Instantly share code, notes, and snippets.

@intolerance

intolerance/GenCSR.sh

Last active November 12, 2020 15:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save intolerance/10ad0d662ef4a671b23d3975ddd109e3 to your computer and use it in GitHub Desktop.
Save intolerance/10ad0d662ef4a671b23d3975ddd109e3 to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSL -- CSR and PFX
Raw
README.md

Generate CSR with subjectAlternateName and PFX on MacOS (openssl v1.1.1)

Generate CSR with SAN included

The following openssl commands are for OpenSSL v1.1.1. (brew install openssl@1.1)

Create the CSR for a wildcard certificate:

# Using OpenSSL v1.1.1 on MacOS
# Ensure you set the Common Name to *.domain.com for WildCard certificates while entering the information
# !!! Remember the private key (PEM) password -- you will need it later !!!
openssl req -out csr.csr -new -newkey rsa:2048 -keyout privatekey.key

Create the CSR with the subjectAltName extension (may not need):

# Using OpenSSL v1.1.1 on MacOS 
# Modify the domain's listed beefore running...
# !!! Remember the private key (PEM) password -- you will need it later !!!
openssl req -out csr.csr -new -newkey rsa:2048 -keyout privatekey.key -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:domain.com,DNS:www.domain.com,DNS:*.domain.com"))

To verify your SAN's are included in the CSR:

# This command will print out the CSR so you can validate the SANs are there
openssl req -in csr.csr -noout -text

Generate PFX

Once your certificate has been signed you can then create a PFX using the .cer and .key you generated with the CSR.

Generate the PFX:

# Using OpenSSL v1.1.1 on MacOS 
# Enter the private key password when prompted.

openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in certificate.cer
Raw
GenCSR.sh
# Using OpenSSL v1.1.1 on MacOS
# Ensure you set the Common Name to *.domain.com for WildCard certificates while entering the information
# !!! Remember the private key (PEM) password -- you will need it later !!!
openssl req -out csr.csr -new -newkey rsa:2048 -keyout privatekey.key
# This command will print out the CSR so you can validate the SANs are there
openssl req -in csr.csr -noout -text
Raw
GenCSRwithSAN.sh
# Using OpenSSL v1.1.1 on MacOS
# Modify the domain's listed beefore running...
# !!! Remember the private key (PEM) password -- you will need it later !!!
openssl req -out csr.csr -new -newkey rsa:2048 -keyout privatekey.key -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:domain.com,DNS:www.domain.com,DNS:*.domain.com"))
# This command will print out the CSR so you can validate the SANs are there
openssl req -in csr.csr -noout -text
Raw
GenPFX.sh
# Using OpenSSL v1.1.1 on MacOS
# Enter the private key password when prompted.
openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in certificate.cer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment