tsanghan/ca.cnf

## ca.cnf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
prompt = no
[v3_req]
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[req_distinguished_name]
C = SG
ST = CBD
L = Suntec
O = A350
OU = Training
CN = Root-CA
[alt_names]
DNS.1 = myserver.local
DNS.2 = myserver1.local
IP.1 = 192.168.1.1
IP.2 = 192.168.2.1


## openssl_commands.txt
# Ref: https://support.citrix.com/article/CTX135602/how-to-create-a-selfsigned-san-certificate-using-openssl-on-citrix-adc-appliance
# create certificate with SAN
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout key.pem -out cert.pem -config san.cnf -extensions 'v3_req'

# view certificate
openssl x509 -in cert.pem -noout -text

# view remote certificate
echo | openssl s_client -showcerts -servername www.company.net -connect 172.18.0.240:443 2> /dev/null | openssl x509 -text | less

# Cert no SAN
openssl req -subj '/CN=www.company.com/O=Company/C=US' -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout key.pem -out cert.pem

## openssl_commands_with_ca.txt
# Ref: https://arminreiter.com/2022/01/create-your-own-certificate-authority-ca-using-openssl/
# Generate CA key. *NOTE* example here does not create password to encrypt key. This is only for education purpose. Do not do this in production.
# openssl genrsa -aes256 -out $CANAME.key 4096 <- with password encryption
openssl genrsa -out ca.key 4096

# Create CA Certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1826 -out ca.crt
# with subject inline
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1826 -out ca.crt -subj '/CN=Root-CA/C=SG/ST=CBD/L=Suntec/O=A350'

# Certificate Request for Webserver
openssl req -new -nodes -out ingress.csr -newkey rsa:2048 -keyout ingress.key -subj '/CN=Web/C=ST/ST=CBD/L=Suntec/O=A350'
# with san.cnf
openssl req -new -nodes -out ingress.csr -newkey rsa:2048 -keyout ingress.key -config san.cnf

# Sign Webserver Certificate
openssl x509 -req -in ingress.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ingress.crt -days 730 -sha256 -extfile san.cnf -extensions 'v3_req'

## san.cnf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = SG
ST = CBD
L = Suntec
O = A350
OU = Training
CN = www.kopi-teh.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.kopi-teh.com
DNS.2 = www.coffee.net
DNS.3 = www.tea.io
	[req]
	distinguished_name = req_distinguished_name
	x509_extensions = v3_req
	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	prompt = no
	[v3_req]
	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
	subjectAltName = @alt_names
	[req_distinguished_name]
	C = SG
	ST = CBD
	L = Suntec
	O = A350
	OU = Training
	CN = Root-CA
	[alt_names]
	DNS.1 = myserver.local
	DNS.2 = myserver1.local
	IP.1 = 192.168.1.1
	IP.2 = 192.168.2.1
	# Ref: https://support.citrix.com/article/CTX135602/how-to-create-a-selfsigned-san-certificate-using-openssl-on-citrix-adc-appliance
	# create certificate with SAN
	openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout key.pem -out cert.pem -config san.cnf -extensions 'v3_req'

	# view certificate
	openssl x509 -in cert.pem -noout -text

	# view remote certificate
	echo \| openssl s_client -showcerts -servername www.company.net -connect 172.18.0.240:443 2> /dev/null \| openssl x509 -text \| less

	# Cert no SAN
	openssl req -subj '/CN=www.company.com/O=Company/C=US' -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout key.pem -out cert.pem
	# Ref: https://arminreiter.com/2022/01/create-your-own-certificate-authority-ca-using-openssl/
	# Generate CA key. NOTE example here does not create password to encrypt key. This is only for education purpose. Do not do this in production.
	# openssl genrsa -aes256 -out $CANAME.key 4096 <- with password encryption
	openssl genrsa -out ca.key 4096

	# Create CA Certificate
	openssl req -x509 -new -nodes -key ca.key -sha256 -days 1826 -out ca.crt
	# with subject inline
	openssl req -x509 -new -nodes -key ca.key -sha256 -days 1826 -out ca.crt -subj '/CN=Root-CA/C=SG/ST=CBD/L=Suntec/O=A350'

	# Certificate Request for Webserver
	openssl req -new -nodes -out ingress.csr -newkey rsa:2048 -keyout ingress.key -subj '/CN=Web/C=ST/ST=CBD/L=Suntec/O=A350'
	# with san.cnf
	openssl req -new -nodes -out ingress.csr -newkey rsa:2048 -keyout ingress.key -config san.cnf

	# Sign Webserver Certificate
	openssl x509 -req -in ingress.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ingress.crt -days 730 -sha256 -extfile san.cnf -extensions 'v3_req'