Generate a private key
To disable password protection of the private key (normally not recommended), remove the -des3 flag
openssl genpkey -algorithm RSA -des3 -out private-key.pem -pkeyopt rsa_keygen_bits:4096Create a certificate signing request
openssl req -new -key private-key.pem -out csr.pemYou will be prompted with the following
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:Gypsytown
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:mywebsite.mydomain.net
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:Creating the self-signed cert
openssl x509 -in csr.pem -out certificate.pem -req -signkey private-key.pem -days 365Generate a private key. Set a strong password on this key to protect it.
openssl genrsa -des3 -out mysiteCA.key 2048Generate the root certificate.
openssl req -x509 -new -nodes -key mysiteCA.key -sha256 -days 1825 -out mysiteCA.pemYou should now have two files: myCA.key (your private key) and myCA.pem (your root certificate).
Create a private key.
openssl genrsa -out mysite.com.key 4096Use the new private key to create a CSR.
openssl req -new -key mysite.com.key -out mysite.com.csrCreate the config file for this signing.
vim mysiteconfig.extWith these contents:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = mysite.comCreate the new certificate.
openssl x509 -req -in mysite.com.csr -CA mysiteCA.pem -CAkey mysiteCA.key -CAcreateserial -out mysite.com.crt -days 825 -sha256 -extfile mysiteconfig.ext