Openssl TLS https certificates
Contents
Generating and converting OpenSSL
How to generate CSR, verify and convert to different formats.
Generate with alternative name
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr -addext "subjectAltName = DNS:dms.local.superdrob.pl"
Verify
-
CSR
openssl req -text -noout -verify -in server.csr
-
CSR
openssl req -noout -text -in server.csr
-
Public Cert (CER) inform DER
openssl x509 -inform der -noout -text -in server.cer
Convert
- DER -> PEM
openssl x509 -inform der -in server.cer -out server.pem
REMEMBER TO APPEND CA CHAIN
Generate with openssl.cnf
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
attributes = req_attributes
# Stop confirmation prompts. All information is contained below.
prompt = no
# The extensions to add to a certificate request - see [ v3_req ]
req_extensions = v3_req
[ req_distinguished_name ]
# Describe the Subject (ie the origanisation).
# The first 6 below could be shortened to: C ST L O OU CN
# The short names are what are shown when the certificate is displayed.
# Eg the details below would be shown as:
# Subject: C=UK, ST=Hertfordshire, L=My Town, O=Some Organisation, OU=Some Department, CN=www.example.com/[email protected]
# Leave as long names as it helps documentation
countryName= XX
stateOrProvinceName= XXX
localityName= XXX
organizationName= SudoNet
organizationalUnitName= IT
commonName= domainname.com
emailAddress= <email>
[ req_attributes ]
# None. Could put Challenge Passwords, don't want them, leave empty
[ v3_req ]
# X509v3 extensions to add to a certificate request
# See x509v3_config
# What the key can/cannot be used for:
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth,serverAuth
# The subjectAltName is where you give the names of extra web sites.
# You may have more than one of these, so put in the section [ alt_names ]
# If you do not have any extra names, comment the next line out.
subjectAltName = @alt_names
# List of all the other DNS names that the certificate should work for.
[ alt_names ]
DNS.1 = <domain>
Then generate with:
openssl req -new -newkey rsa:2048 -nodes -config ../openssl.cnf -keyout server.key -out server.csr