Skip to content

Instantly share code, notes, and snippets.

@vermauv

vermauv/certs.markdown

Last active March 29, 2022 09:35
Show Gist options
  • Save vermauv/a29f39c106c8c108c97efab7086531e5 to your computer and use it in GitHub Desktop.
Save vermauv/a29f39c106c8c108c97efab7086531e5 to your computer and use it in GitHub Desktop.
Download ZIP
Openssl certs and keys
Raw
certs.markdown

Create openssl key and cert :

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

To convert these into .key and .crt format:

openssl rsa -outform der -in key.pem -out server.key
openssl x509 -outform der -in cert.pem -out server.crt

To create rootCA:

openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

OR

openssl genrsa -out "root-ca.key" 4096
openssl req \
          -new -key "root-ca.key" \
          -out "root-ca.csr" -sha256 \
          -subj '/C=IN/ST=GA/L=PO/O=TEST/CN=Example CA'

Create a file root-ca.cnf and paste the following contents into it. This constrains the root CA to signing leaf certificates and not intermediate CAs

[root_ca]
basicConstraints = critical,CA:TRUE,pathlen:1
keyUsage = critical, nonRepudiation, cRLSign, keyCertSign
subjectKeyIdentifier=hash

openssl x509 -req  -days 3650  -in "root-ca.csr" \
               -signkey "root-ca.key" -sha256 -out "root-ca.crt" \
               -extfile "root-ca.cnf" -extensions \
               root_ca
openssl genrsa -out "site.key" 4096
openssl req -new -key "site.key" -out "site.csr" -sha256 \
          -subj '/C=IN/ST=GA/L=PO/O=TEST/CN=localhost'
openssl x509 -req -days 750 -in "site.csr" -sha256 \
    -CA "root-ca.crt" -CAkey "root-ca.key"  -CAcreateserial \
    -out "site.crt" -extfile "site.cnf" -extensions server
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment