Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
openssl genrsa -des3 -out rootCA.key 4096
If you want a non password protected key just remove the -des3
option
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
This only works for browsers you control
I tried importing to my OS certifiocates but that didn't work for me
Importing my rootCA.crtto the browsers did work (eventually)
This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA
My example is for a local dev server where I have a matching entry in my /etc/hosts file for the IP
openssl genrsa -out dot.burlington.me.uk.key 2048
The certificate signing request is where you specify the details for the certificate you want to generate. This request will be processed by the owner of the Root key (you in this case since you create it earlier) to generate the certificate.
Important: Please mind that while creating the signign request is important to specify the Common Name
providing the IP address or domain name for the service, otherwise the certificate cannot be verified.
You also need to specify a SAN / subjectAltName or chrome wont accept it
openssl req -new -sha256 \
-key dot.burlington.me.uk.key \
-subj "/C=UK/ST=Dorset/O=Tangible Bytes Ltd/OU=Development/CN=dot.burlington.me.uk" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:dot.burlington.me.uk")) \
-out dot.burlington.me.uk.csr
openssl req -in dot.burlington.me.uk.csr -noout -text
openssl x509 -req -extfile <(printf "subjectAltName=DNS:dot.burlington.me.uk") -days 120 -in dot.burlington.me.uk.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out dot.burlington.me.uk.crt -sha256
openssl x509 -in dot.burlington.me.uk.crt -text -noout