nikhilgeo/gist:911b76faf3e965143128a7ccb74772c9

## gistfile1.txt
1 Create CA

1.1 Create keys
openssl genrsa -out rootCA_key.key 2048
	-des3 algorithm to encrypt the key and will require you to enter a password in order for the key file to be created.
1.2 Create Root CA cert with constraint CA = true
openssl req -x509 -new -nodes -key rootCA_key.key -sha256  -days 1024  -out rootCA_crt.pem -extensions v3_ca -reqexts v3_req -config /usr/local/etc/openssl/openssl.cnf

2 Create SSL cert

2.1 Create file named v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = domain1.com <--- should be same as subject name
DNS.2 = domain2.dev
IP.3 = X.X.X.X

2.2 Create CSR
openssl req -new -nodes -out server_csr.csr -newkey rsa:2048 -keyout server_key.key

2.3 Issue crt with Root CA
openssl x509 -req -in server_csr.csr -CA rootCA_crt.pem -CAkey rootCA_key.key -CAcreateserial -out server_crt.crt -days 500 -sha256 -extfile v3.ext

MISC:
1) pem to crt
openssl x509 -outform der -in rootCA_crt.pem -out rootCA_crt.crt
2) key to pem
openssl rsa -in server.key -text > private.pem
3) der to crt
openssl x509 -in burp_cacert.der -inform DER -out burp_mycert.crt

Reference:
This is been borrowed from below and modified to my use specific use case (IP in SAN, constraint CA = true )
https://github.com/jetstack/cert-manager/issues/279
https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15
https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key
	1 Create CA

	1.1 Create keys
	openssl genrsa -out rootCA_key.key 2048
	-des3 algorithm to encrypt the key and will require you to enter a password in order for the key file to be created.
	1.2 Create Root CA cert with constraint CA = true
	openssl req -x509 -new -nodes -key rootCA_key.key -sha256 -days 1024 -out rootCA_crt.pem -extensions v3_ca -reqexts v3_req -config /usr/local/etc/openssl/openssl.cnf

	2 Create SSL cert

	2.1 Create file named v3.ext
	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
	subjectAltName = @alt_names
	[alt_names]
	DNS.1 = domain1.com <--- should be same as subject name
	DNS.2 = domain2.dev
	IP.3 = X.X.X.X

	2.2 Create CSR
	openssl req -new -nodes -out server_csr.csr -newkey rsa:2048 -keyout server_key.key

	2.3 Issue crt with Root CA
	openssl x509 -req -in server_csr.csr -CA rootCA_crt.pem -CAkey rootCA_key.key -CAcreateserial -out server_crt.crt -days 500 -sha256 -extfile v3.ext

	MISC:
	1) pem to crt
	openssl x509 -outform der -in rootCA_crt.pem -out rootCA_crt.crt
	2) key to pem
	openssl rsa -in server.key -text > private.pem
	3) der to crt
	openssl x509 -in burp_cacert.der -inform DER -out burp_mycert.crt

	Reference:
	This is been borrowed from below and modified to my use specific use case (IP in SAN, constraint CA = true )
	https://github.com/jetstack/cert-manager/issues/279
	https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15
	https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
	https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key