Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place! - Ensure you have installed OpenSSL in your system either Windows or Linux, here we're just using neutral OpenSSL commands.
openssl genrsa -des3 -out rootCA.key 4096If you want a non password protected key just remove the -des3 option
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crtHere we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA
openssl genrsa -out mydomain.com.key 2048
openssl pkcs8 -topk8 -inform PEM -outform PEM -in mydomain.com.key -out mydomain.com_unec.key -nocryptThe certificate signing request is where you specify the details for the certificate you want to generate. This request will be processed by the owner of the Root key (you in this case since you create it earlier) to generate the certificate.
Important: Please mind that while creating the signign request is important to specify the Common Name providing the IP address or domain name for the service, otherwise the certificate cannot be verified.
I will describe here three ways to generate CSRs using your command line tool.
If you generate the csr in this way, openssl will ask you questions about the certificate to generate like the organization details and the Common Name (CN) that is the web address you are creating the certificate for, e.g mydomain.com.
openssl req -new -key mydomain.com.key -out mydomain.com.csrThis method generates the same output as Method A but it's suitable for use in your automation :)
openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" -out mydomain.com.csrIf you need to pass additional config you can use the -config parameter, here for example I want to add alternative names to my certificate.
openssl req -new -sha256 \
-key mydomain.com.key \
-subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \
-out mydomain.com.csrSometimes it is better to align with a consistent configuration INI-like-format file which will give you more freedom and consistency. As an example you can use the following
# OpenSSL configuration file for creating a CSR for a server certificate
# Adapt at least the FQDN and ORGNAME lines, and then run
# openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr
# on the command line.
# Visit https://github.com/openssl/openssl/blob/master/apps/openssl.cnf for futher details
# the fully qualified server (or service) name
FQDN = foo.example.org
# the name of your organization
# (see also https://www.switch.ch/pki/participants/)
ORGNAME = Example University
# subjectAltName entries: to add DNS aliases to the CSR, delete
# the '#' character in the ALTNAMES line, and change the subsequent
# 'DNS:' entries accordingly. Please note: all DNS names must
# resolve to the same IP address as the FQDN.
ALTNAMES = DNS:$FQDN # , DNS:bar.example.org , DNS:www.foo.example.org
# --- no modifications required below ---
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = req_ext
[ dn ]
C = CH
O = $ORGNAME
CN = $FQDN
[ req_ext ]
subjectAltName = $ALTNAMES
Save the above file with your FQDN (i.e. myserver.cnf) and run the following CLI commands:
touch myserver.key
chmod 600 myserver.key
openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csropenssl req -in mydomain.com.csr -noout -textopenssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256openssl x509 -in mydomain.com.crt -text -noout