Contents

Openssl TLS https certificates

Contents

Generating and converting OpenSSL

How to generate CSR, verify and convert to different formats.

Generate with alternative name

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr -addext "subjectAltName = DNS:dms.local.superdrob.pl"

Verify

  • CSR openssl req -text -noout -verify -in server.csr

  • CSR openssl req -noout -text -in server.csr

  • Public Cert (CER) inform DER openssl x509 -inform der -noout -text -in server.cer

Convert

  • DER -> PEM openssl x509 -inform der -in server.cer -out server.pem

REMEMBER TO APPEND CA CHAIN

Generate with openssl.cnf

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd

[ req ]
default_bits            = 2048
distinguished_name      = req_distinguished_name
attributes              = req_attributes

# Stop confirmation prompts. All information is contained below.
prompt                  = no

# The extensions to add to a certificate request - see [ v3_req ]
req_extensions          = v3_req

[ req_distinguished_name ]
# Describe the Subject (ie the origanisation).
# The first 6 below could be shortened to: C ST L O OU CN
# The short names are what are shown when the certificate is displayed.
# Eg the details below would be shown as:
#    Subject: C=UK, ST=Hertfordshire, L=My Town, O=Some Organisation, OU=Some Department, CN=www.example.com/[email protected]

# Leave as long names as it helps documentation

countryName=            XX
stateOrProvinceName=    XXX
localityName=           XXX
organizationName=       SudoNet
organizationalUnitName= IT
commonName=             domainname.com
emailAddress=           <email>

[ req_attributes ]
# None. Could put Challenge Passwords, don't want them, leave empty

[ v3_req ]

# X509v3 extensions to add to a certificate request
# See x509v3_config

# What the key can/cannot be used for:
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth,serverAuth

# The subjectAltName is where you give the names of extra web sites.
# You may have more than one of these, so put in the section [ alt_names ]
# If you do not have any extra names, comment the next line out.
subjectAltName = @alt_names

# List of all the other DNS names that the certificate should work for.
[ alt_names ]
DNS.1 = <domain>

Then generate with: openssl req -new -newkey rsa:2048 -nodes -config ../openssl.cnf -keyout server.key -out server.csr