Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
openssl genrsa -des3 -out rootCA.key 4096
If you want a non password protected key just remove the -des3
option
Most Important Thing!
- Always Create Certificate with
subjectAltName
which corresponds toCommon Name
. All the systems usesubjectAltName
to verify the url you are connecting and one the values present insubjectAltName
must match the Host Header that means the domain name. - When Creating CSR use
subjectAltName
- When Signing the CSR you must use
subjectAltName
subjectAltName
must contain atleastCommon Name
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA
openssl genrsa -out mydomain.com.key 2048
openssl req -new -sha256 \
-key mydomain.com.key \
-subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \
-out mydomain.com.csr
openssl req -in mydomain.com.csr -noout -text
**While Signing also we need to provide the subjectAltName
openssl x509 -req -extfile <(printf "subjectAltName=DNS:mydomain.com,DNS:www.mydomain.com,IP:10.0.0.10) -days 120 -in mydomain.com.csr -CA rootCA.crt -CAkey root_rsa.key -CAcreateserial -out mydomain.com.crt -sha256
IP:10.0.0.10
if you are going to connect with IP.
openssl x509 -in mydomain.com.crt -text -noout
openssl s_client -showcerts -connect mydomain.com:8200