Create a certificate signing request and use it to generate an SSL certificate. I strongly suggest reading my two earlier blog posts about self-signed SSL certificates and private keys as these contain useful information. I will describe three different ways to generate a certificate signing request.
An interactive way to generate a simple SSL certificate using CSR
Generate private key
$ openssl genpkey -algorithm RSA -out example.org.key -pkeyopt rsa_keygen_bits:4096
Generate a certificate signing request. You will be asked interactively for each parameter.
$ openssl req -new -sha256 -key example.org.key -out example.org.csr
Verify the signature on the request.
$ openssl req -in example.org.csr -noout -verify verify OK
Verify the subject line.
$ openssl req -in example.org.csr -noout -subject subject=/C=PL/ST=Some-State/O=Internet Widgits Pty Ltd/CN=example.org/emailAddress=admin@example.org
Generate a self-signed certificate.
$ openssl x509 -req -in example.org.csr -signkey example.org.key -out example.org.crt -days 365
Display certificate information.
$ openssl x509 -in example.org.crt -noout -serial -subject -issuer -dates serial=9D797BBD78B3AC55 subject= /C=PL/ST=Some-State/O=Internet Widgits Pty Ltd/CN=example.org/emailAddress=admin@example.org issuer= /C=PL/ST=Some-State/O=Internet Widgits Pty Ltd/CN=example.org/emailAddress=admin@example.org notBefore=Nov 5 21:17:56 2017 GMT notAfter=Nov 5 21:17:56 2018 GMT
Non-interactive way to generate simple SSL certificate using CSR
Generate private key
$ openssl genpkey -algorithm RSA -out example.com.key -pkeyopt rsa_keygen_bits:4096
Generate a certificate signing request. You will be asked interactively for each parameter.
$ openssl req -new -sha256 -key example.com.key -out example.com.csr \ -subj "/C=PL/ST=pomorskie/O=personal/L=Gdansk/CN=example.com/OU=IT/emailAddress=admin@example.com/"
Verify the signature on the request.
$ openssl req -in example.com.csr -noout -verify verify OK
Verify the subject line.
$ openssl req -in example.com.csr -noout -subject subject=/C=PL/ST=pomorskie/O=personal/L=Gdansk/CN=example.com/OU=IT/emailAddress=admin@example.com
Generate a self-signed certificate.
$ openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 365
Display certificate information.
$ openssl x509 -in example.com.crt -noout -serial -subject -issuer -dates serial=C00F7945258559D4 subject= /C=PL/ST=pomorskie/O=personal/L=Gdansk/CN=example.com/OU=IT/emailAddress=admin@example.com issuer= /C=PL/ST=pomorskie/O=personal/L=Gdansk/CN=example.com/OU=IT/emailAddress=admin@example.com notBefore=Nov 5 21:36:58 2017 GMT notAfter=Nov 5 21:36:58 2018 GMT
An automated way to generate SSL certificate using CSR
Create a certificate configuration.
cat <<EOF | tee example.net.cfg [ req ] req_extensions = req_ext distinguished_name = req_distinguished_name prompt = no [req_distinguished_name] commonName=example.net [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = example.net DNS.2 = *.example.net DNS.3 = *.devel.example.net EOF
Generate private key
$ openssl genpkey -algorithm RSA -out example.net.key -pkeyopt rsa_keygen_bits:4096
Generate a certificate signing request. You will be asked interactively for each parameter.
$ openssl req -new -config example.net.cfg -extensions req_ext -sha256 -key example.net.key -out example.net.csr
Verify the signature on the request.
$ openssl req -in example.net.csr -noout -verify verify OK
Verify the subject line.
$ openssl req -in example.net.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: CN=example.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:aa:dc:75:fd:41:d5:f9:80:3c:1e:d3:b6:bc:b3: [...] a9:42:a3 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:example.net, DNS:*.example.net, DNS:*.devel.example.net Signature Algorithm: sha256WithRSAEncryption 04:17:0e:25:bc:43:9d:56:31:a5:36:16:bf:9d:3c:d4:78:81: [...] eb:52:11:5b:23:5a:00:9f
Generate a self-signed certificate.
$ openssl x509 -req -extfile example.net.cfg -extensions req_ext -in example.net.csr -signkey example.net.key -out example.net.crt -days 365
Display certificate information.
$ openssl x509 -in example.net.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 15004733904815655982 (0xd03b85fce9cc0c2e) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=example.net Validity Not Before: Nov 5 23:13:22 2017 GMT Not After : Nov 5 23:13:22 2018 GMT Subject: CN=example.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:aa:dc:75:fd:41:d5:f9:80:3c:1e:d3:b6:bc:b3: [...] a9:42:a3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:example.net, DNS:*.example.net, DNS:*.devel.example.net Signature Algorithm: sha256WithRSAEncryption 5f:2a:42:8e:d5:b5:a5:c8:22:21:ae:a4:bb:f7:1b:8c:5d:02: [...] d3:7e:bd:54:9c:61:c4:50