Generate self-signed SSL and key,
sudo openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.cert
/etc/apache2 (deb)
/etc/httpd/conf.d (rpm)
Generate CSR:
openssl req -nodes -newkey rsa:4096 -keyout privkey.pem -out csr.pem
Generate CSR without prompt:
openssl req -nodes -newkey rsa:4096 -keyout privkey.pem -out csr.pem -subj "/C=COUNTRY/ST=STATE/O=COMPANY/OU=CLIENT/CN=SITE"
Explanation:
Field | Meaning | Example |
---|---|---|
/C= | Country | US |
/ST= | State | Hawaii |
/O= | Organization | My Company |
/OU= | Organizational Unit | IT Department |
/CN= | Common Name | example.com |
Check CSR values:
openssl req -text -noout -verify -in CSRFILE
Check SSL expiry:
openssl /path/to/cert.pem | openssl x509 -noout -enddate
Generate key:
openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out localhost.crt -keyout localhost.key
Validate cert/key:
openssl x509 -noout -modulus -in CERT | openssl md5
openssl rsa -noout -modulus -in KEY | openssl md5
Output should match!