Last active
February 9, 2023 09:58
-
-
Save tsanghan/2f627fd562e6abfb786060301ed67f4a to your computer and use it in GitHub Desktop.
Create certificate with SAN
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[req] | |
distinguished_name = req_distinguished_name | |
x509_extensions = v3_req | |
authorityKeyIdentifier=keyid,issuer | |
basicConstraints=CA:FALSE | |
prompt = no | |
[v3_req] | |
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment | |
subjectAltName = @alt_names | |
[req_distinguished_name] | |
C = SG | |
ST = CBD | |
L = Suntec | |
O = A350 | |
OU = Training | |
CN = Root-CA | |
[alt_names] | |
DNS.1 = myserver.local | |
DNS.2 = myserver1.local | |
IP.1 = 192.168.1.1 | |
IP.2 = 192.168.2.1 | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Ref: https://support.citrix.com/article/CTX135602/how-to-create-a-selfsigned-san-certificate-using-openssl-on-citrix-adc-appliance | |
# create certificate with SAN | |
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout key.pem -out cert.pem -config san.cnf -extensions 'v3_req' | |
# view certificate | |
openssl x509 -in cert.pem -noout -text | |
# view remote certificate | |
echo | openssl s_client -showcerts -servername www.company.net -connect 172.18.0.240:443 2> /dev/null | openssl x509 -text | less | |
# Cert no SAN | |
openssl req -subj '/CN=www.company.com/O=Company/C=US' -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout key.pem -out cert.pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Ref: https://arminreiter.com/2022/01/create-your-own-certificate-authority-ca-using-openssl/ | |
# Generate CA key. *NOTE* example here does not create password to encrypt key. This is only for education purpose. Do not do this in production. | |
# openssl genrsa -aes256 -out $CANAME.key 4096 <- with password encryption | |
openssl genrsa -out ca.key 4096 | |
# Create CA Certificate | |
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1826 -out ca.crt | |
# with subject inline | |
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1826 -out ca.crt -subj '/CN=Root-CA/C=SG/ST=CBD/L=Suntec/O=A350' | |
# Certificate Request for Webserver | |
openssl req -new -nodes -out ingress.csr -newkey rsa:2048 -keyout ingress.key -subj '/CN=Web/C=ST/ST=CBD/L=Suntec/O=A350' | |
# with san.cnf | |
openssl req -new -nodes -out ingress.csr -newkey rsa:2048 -keyout ingress.key -config san.cnf | |
# Sign Webserver Certificate | |
openssl x509 -req -in ingress.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ingress.crt -days 730 -sha256 -extfile san.cnf -extensions 'v3_req' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[req] | |
distinguished_name = req_distinguished_name | |
x509_extensions = v3_req | |
prompt = no | |
[req_distinguished_name] | |
C = SG | |
ST = CBD | |
L = Suntec | |
O = A350 | |
OU = Training | |
CN = www.kopi-teh.com | |
[v3_req] | |
keyUsage = keyEncipherment, dataEncipherment | |
extendedKeyUsage = serverAuth | |
subjectAltName = @alt_names | |
[alt_names] | |
DNS.1 = www.kopi-teh.com | |
DNS.2 = www.coffee.net | |
DNS.3 = www.tea.io |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment