Skip to content

Instantly share code, notes, and snippets.

@x-yuri
Last active June 22, 2024 15:24
Show Gist options
  • Save x-yuri/8178c9aa2dcf8acbe4ccc2a07313b22d to your computer and use it in GitHub Desktop.
Save x-yuri/8178c9aa2dcf8acbe4ccc2a07313b22d to your computer and use it in GitHub Desktop.
Generating SSL certificates

Generating SSL certificates

req:

openssl req -x509 -subj /CN=root.yourdomain.com -days 3650 -noenc \
    -out root.crt -keyout root.key
  # -x509 - generate a certificate
  # -subj - subject
  # -days - validity period
  # -noenc - don't encrypt the private key (no passphrase)
  # -out - output certificate
  # -keyout - output private key
openssl req -x509 -subj /CN=server.yourdomain.com -days 365 -noenc \
    -CA root.crt -CAkey root.key -extensions usr_cert \
    -out server.crt -keyout server.key
  # -x509 - generate a certificate
  # -subj - subject
  # -days - validity period
  # -noenc - don't encrypt the private key (no passphrase)
  # -CA - the CA certificate
  # -CAkey - the CA private key
  # -extensions - the section of the config file to add X.509 extensions from
  # -out - output certificate
  # -keyout - output private key

req + x509 (based on the pg documentation):

openssl req -new -subj /CN=root.yourdomain.com -noenc \
    -out root.csr -keyout root.key
  # -new - generate a CSR
  # -subj - subject
  # -noenc - don't encrypt the private key (no passphrase)
  # -out - output CSR
  # -keyout - output private key
openssl x509 -req -in root.csr -days 3650 \
    -extfile /etc/ssl/openssl.cnf -extensions v3_ca -key root.key \
    -out root.crt
  # -req - sign a CSR
  # -in - CSR
  # -days - validity period
  # -extfile - the config file to add X.509 extensions from
  # -extensions - the section of the config file to add X.509 extensions from
  # -key - the private key
  # -out - output certificate
openssl req -new -subj /CN=server.yourdomain.com -noenc \
    -out server.csr -keyout server.key
  # -new - generate a CSR
  # -subj - subject
  # -noenc - don't encrypt the private key (no passphrase)
  # -out - output CSR
  # -keyout - output private key
openssl x509 -req -in server.csr -days 365 \
    -extfile /etc/ssl/openssl.cnf -extensions usr_cert \
    -CA root.crt -CAkey root.key \
    -out server.crt
  # -req - sign a CSR
  # -in - CSR
  # -days - validity period
  # -extfile - the config file to add X.509 extensions from
  # -extensions - the section of the config file to add X.509 extensions from
  # -CA - the CA certificate
  # -CAkey - the CA private key
  # -out - output certificate

genrsa + req + x509:

openssl genrsa -out root.key
  # -out - output private key
openssl req -new -subj /CN=root.yourdomain.com -key root.key \
    -out root.csr
  # -new - generate a CSR
  # -subj - subject
  # -key - the private key
  # -out - output CSR
openssl x509 -req -in root.csr -days 3650 \
    -extfile /etc/ssl/openssl.cnf -extensions v3_ca -key root.key \
    -out root.crt
  # -req - sign a CSR
  # -in - CSR
  # -days - validity period
  # -extfile - the config file to add X.509 extensions from
  # -extensions - the section of the config file to add X.509 extensions from
  # -key - the private key
  # -out - output certificate
openssl genrsa -out server.key
  # -out - output private key
openssl req -new -subj /CN=server.yourdomain.com -key server.key \
    -out server.csr
  # -new - generate a CSR
  # -subj - subject
  # -key - the private key
  # -out - output CSR
openssl x509 -req -in server.csr -days 365 \
    -extfile /etc/ssl/openssl.cnf -extensions usr_cert \
    -CA root.crt -CAkey root.key \
    -out server.crt
  # -req - sign a CSR
  # -in - CSR
  # -days - validity period
  # -extfile - the config file to add X.509 extensions from
  # -extensions - the section of the config file to add X.509 extensions from
  # -CA - the CA certificate
  # -CAkey - the CA private key
  # -out - output certificate
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment