Create a 2048 bit RSA private key
$ openssl genrsa -out ca.key 2048
Its' also possible to generate an encrypted RSA key with the following options -aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea
e.g.
$ openssl genrsa -out rsakey.key -des 2048
Generate the CA certificate. As we are creating a CA certificate it's not required to use a FQDN as CN.
$ openssl req -x509 -key ca.key -out ca.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ES
State or Province Name (full name) []:Madrid
Locality Name (eg, city) [Default City]:Madrid
Organization Name (eg, company) [Default Company Ltd]:My site
Organizational Unit Name (eg, section) []:Systems department
Common Name (eg, your name or your server's hostname) []:My site certificate authority
Email Address []:ca@mysite.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
The CA certificate subject and issuer must match
$ openssl x509 -noout -in ca.crt -subject -issuer
subject=C = ES, ST = Madrid, L = Madrid, O = My site, OU = Systems department, CN = My site certificate authority, emailAddress = ca@mysite.com
issuer=C = ES, ST = Madrid, L = Madrid, O = My site, OU = Systems department, CN = My site certificate authority, emailAddress = ca@mysite.com
Create a new private key
$ openssl genrsa -out mysite.com.key 2048
In order to generate the CSR and the final certificateat setup a OpenSSL configuration file like the following. Note that this openssl configuration file contains some x509v3 extensions like alternative names
[ my_extensions ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=@alt_names
[ alt_names ]
DNS.1 = mysite.com
DNS.2 = *.mysite.com
Generate CSR, in the CSR creation we should pass the effective FQDN to the certificate
$ openssl req -new -key mysite.com.key -out mysite.com.csr
Create signed certificate
$ openssl x509 -req -in mysite.com.csr -CAkey ca.key -CA ca.crt -out mysite.com.crt -days 365 -extfile openssl.conf -extensions my_extensions -CAcreateserial -CAserial mysite.com.srl
This command also creates a sysite.com.srl file containing the certificate serial number
The signed certificate issuer must be the CA.
$ openssl x509 -in mysite.com.crt -noout -issuer -subject
issuer=C = ES, ST = Madrid, L = Madrid, O = My site, OU = Systems department, CN = My site certificate authority, emailAddress = ca@mysite.com
subject=C = ES, ST = Madrid, L = Madrid, O = My site, OU = Systems department, CN = mysite.com, emailAddress = mailbox@mysite.com
Use the CA to verify the certificate
$ openssl verify -CAfile ca.crt mysite.com.crt
mysite.com.crt: OK
We can check if extensions were properly configured
$ openssl x509 -in mysite.com.crt -noout -text | grep -A 1 X509v3
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
1F:50:7E:91:DE:EF:02:ED:4E:E0:C9:FA:3A:FD:C5:F1:E5:1D:64:4F
X509v3 Authority Key Identifier:
keyid:9B:32:D4:12:BB:78:FB:36:4C:E3:6A:B6:D4:EF:8D:D5:90:5A:3C:E6
X509v3 Subject Alternative Name:
DNS:mysite.com, DNS:*.mysite.com