Generate Self Signed Certificates with x509 extensions

Self-Signed-Certificates-With-x509-extensions.md

openssl.cnf

[ req ]
distinguished_name = req_distinguished_name
policy             = policy_match
x509_extensions     = v3_ca

# For the CA policy
[ policy_match ]
commonName              = optional

[ req_distinguished_name ]
commonName                      = Common Name (eg, your name or your server hostname) ## Print this message
commonName_default              = f5.com
commonName_max                  = 64

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:true
nsComment = "OpenSSL Generated Certificate"

csr.conf

[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = US
ST = California
L = San Fransisco
O = f5
OU = test
CN = test.f5.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = echoapp.test.f5.com
DNS.2 = app.test.f5.com
IP.1 = 127.0.0.1

cert.conf

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = echoapp.test.f5.com
DNS.2 = app.test.f5.com

CLI

openssl genrsa  -out cakey.pem 4096
openssl req -new -x509 -days 36500 -config openssl.cnf  -key cakey.pem -out cacert.pem
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -config csr.conf
openssl x509 -req -in server.csr -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out server.crt -days 36500 -sha256 -extfile cert.conf