Skip to content

Instantly share code, notes, and snippets.

@koonix

koonix/openssl-ed25519-certs.md

Created February 18, 2025 14:02
Show Gist options
  • Save koonix/3cfa46933979deaadabdce270b46b2e3 to your computer and use it in GitHub Desktop.
Save koonix/3cfa46933979deaadabdce270b46b2e3 to your computer and use it in GitHub Desktop.
Download ZIP
Creating Self-Signed ED25519 CA and Certificates
Raw
openssl-ed25519-certs.md

Creating Self-Signed ED25519 CA and Certificates

Important

the Common Name (CN) of the servers should be different from that of the CA. Otherwise, things won't work on servers that use OpenSSL.

CA

openssl genpkey -algorithm ed25519 > ca-key.pem
openssl req -x509 -new -sha512 -days 365250 -subj '/CN=ca' -key ca-key.pem -out ca-cert.pem

Servers

openssl genpkey -algorithm ed25519 > server-key.pem
openssl req -new -sha512 -subj '/CN=server' -key server-key.pem -out server-csr.pem
openssl x509 -days 365250 -req -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial  -out server-cert.pem

Note for setting the server's SAN (Subject Alternative Name)

Add this option to the last command (openssl x509) to set the SAN of the server:

-extfile <(printf "subjectAltName=my.san.com")

For an IP SAN use this:

-extfile <(printf "subjectAltName=IP:1.2.3.4")

Verify

openssl verify -verbose -CAfile ca-cert.pem server-cert.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment