Skip to content

Instantly share code, notes, and snippets.

@mtvbrianking

mtvbrianking/openssl-mtls.md

Last active December 27, 2022 08:49
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mtvbrianking/1b3dafd7f0e748242c3c5fce2b6e3863 to your computer and use it in GitHub Desktop.
Save mtvbrianking/1b3dafd7f0e748242c3c5fce2b6e3863 to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSL / MTLS / Wildcard Certificates / Subject Alternative Name
Raw
openssl-mtls.md

Certificate Authority

Self Signing CA for local dev

openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 365 -subj "/CN=poseidon"

Server

Let an API be our server

openssl req -nodes -newkey rsa:2048 -keyout api.example.local.key -out api.example.local.csr -days 180 -subj "/CN=api.example.local"
openssl x509 -req -CAcreateserial -CA ca.crt -CAkey ca.key -days 180 -in api.example.local.csr -out api.example.local.crt
openssl pkcs12 -export -out api.example.local.pfx -inkey api.example.local.key -in api.example.local.crt

Client

A frontend dashboard consuming the API can be our client

openssl req -nodes -newkey rsa:2048 -keyout example.local.key -out example.local.csr -days 90 -subj "/CN=example.local"
openssl x509 -req -CAcreateserial -CA ca.crt -CAkey ca.key -days 90 -in example.local.csr -out example.local.crt
openssl pkcs12 -export -out example.local.pfx -inkey example.local.key -in example.local.crt
Raw
openssl-wildcard.md

Create Self Signed CA

openssl req -x509 -nodes \
  -newkey rsa:4096 -keyout ca.key \
  -out ca.crt -days 365 -subj "/CN=poseidon"

Create CSR config with SAN

Subject Alternative Name can't be passed via CLI

cat > example.local.cnf <<-EOF
[req]
prompt = no
distinguished_name = subject
req_extensions = v3_req

[ subject ]
C = UG
ST = Central
L = Kampala
O = Example Inc
OU = IT Department
CN = *.example.local
emailAddress = it@example.local

[ v3_req ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = example.local
DNS.2 = *.example.local
EOF

Generate CSR from config

openssl req -nodes -days 90 -newkey rsa:2048 \
  -keyout example.local.key \
  -out example.local.csr \
  -config example.local.cnf

Verify CSR details...

openssl req -in example.local.csr -text -noout

Sign CSR - preserving SAN

You need to pass the CSR details (SAN) while signing otherwise the SAN will be empty. Source

openssl x509 -req -CAcreateserial -days 90 \
  -CA ca.crt -CAkey ca.key \
  -in example.local.csr -out example.local.crt \
  -extensions v3_req -extfile example.local.cnf

Verify cert details...

openssl x509 -in example.local.crt -text -noout

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment