Skip to content

Instantly share code, notes, and snippets.

@yidas
Last active Dec 16, 2021
Embed
What would you like to do?
Certificate(CSR) configuration file

Openssl commands:

openssl genrsa -out self-ssl.key
openssl req -new -key self-ssl.key -out self-ssl.csr -config csr.conf
openssl x509 -req -days 365 -in self-ssl.csr -signkey self-ssl.key -out self-ssl.crt -extensions req_ext -extfile csr.conf

Sign from Root CA: openssl x509 -req -days 365 -extensions req_ext -extfile csr.conf -CA RootCA.crt -CAkey RootCA.key -in self-ssl.csr -out self-ssl.crt

Configuration csr.conf:

[req]
default_bits = 2048
distinguished_name = dn
prompt             = no

[dn]
C="TW"
ST="Taiwan"
L="Taipei"
O="YIDAS"
OU="Service"
emailAddress="yourmail@mail.com"
CN="yourdomain.com"

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.0 = *.yourdomain.com
DNS.1 = *.dev.yourdomain.com

[req] is for CSR with distinguished_name setting, while [req_ext] is called for -extensions with creating crt with SAN(subjectAltName) setting.

Extract information from the CSR/CRT

openssl req -in self-ssl.csr -text -noout
openssl x509 -in self-ssl.crt -text -noout

Trsuted CA or CRT

After building self-signed RootCA or CRT, you could install it into your browser client.

If you install RootCA or parent CRT, the SAN setting in the bottom CRT could be change by server with convenience, which the installer does not need to re-install CA.

@debu999
Copy link

debu999 commented Sep 15, 2020

Thanks a ton really helpful.

@eddyekofo94
Copy link

eddyekofo94 commented Jan 4, 2021

Thanks 👍

@ggress
Copy link

ggress commented Jun 11, 2021

Thanks

@aakash-pinc
Copy link

aakash-pinc commented Sep 11, 2021

What is csr configuration for these fields -keysize 2048 -keyalg RSA -sigalg SHA256withRSA?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment