Skip to content

Instantly share code, notes, and snippets.

What would you like to do?

Create Root CA and Server Certificate


Create the Root Certificate (Done Once)

Create the Root Private Key

$ openssl genrsa -out root-key.pem 2048

Create the Root Certificate Authority

$ openssl req -x509 -new -nodes \
          -key root-key.pem \
          -sha256 -days 1024 \
          -out root-ca.pem \
          -subj "/C=US/ST=California/L=Palo Alto/O=Pivotal Software, Inc./OU=Pivotal Demos/CN=Pivotal Demos Root CA/"

Verify the Root Certificate Authority

$ openssl x509 -text -in root-ca.pem

Create Server Certificate (Once Per PCF Installation)

Copy your default openssl.cnf file to a temporary openssl-san.cnf file

$ cp /usr/local/etc/openssl/openssl.cnf openssl-san.cnf

Edit the openssl-san.cnf file to add additional required parameters:

[ req ]
req_extensions = v3_req # The extensions to add to a certificate request

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

DNS.1 = *
DNS.2 = *
DNS.3 = *
DNS.4 = *
DNS.5 = *
DNS.6 = *

Create the Server Private Key

$ openssl genrsa -out server-key.pem 2048

Create Server Certificate Signing Request

$ openssl req -sha256 -new \
          -key server-key.pem \
          -out server-csr.pem \
          -config openssl-san.cnf \
          -subj "/C=US/ST=California/L=Palo Alto/O=Pivotal Software, Inc./OU=Pivotal Demos/CN=*"

Verify multiple SANs in your CSR

$ openssl req -text -noout -in server-csr.pem

Create Server Certificate Signed by the Root CA

$ openssl x509 -req \
          -in server-csr.pem \
          -CA root-ca.pem \
          -CAkey root-key.pem \
          -CAcreateserial \
          -out server-cert.pem \
          -days 500 -sha256 \
          -extensions v3_req \
          -extfile openssl-san.cnf

Verify multiple SANs in your Certificate

$ openssl x509 -text -in server-cert.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment