####### OpenSSL ####### Generate private key ==================== .. code:: shell openssl \ genrsa \ -out "private_key.pem" \ 4096 \ Human readable: .. code:: shell openssl \ rsa \ -in "private_key.pem" \ -noout \ -text \ Generate a certificate request ============================== * generate a private key * using . for empty fields, generate the request with: * Country Name (2 letter code) * State or Province Name (full name) * Locality Name (eg, city) * Organization Name (eg, company) * Organizational Unit Name (eg, section) * Common Name (e.g. server FQDN or YOUR name) * Email Address * A challenge password * An optional company name .. code:: shell echo -n "\ US Region / County (code) City / Place Group / Management / Unit Section certificate_name alias@domain.tld . . " \ | \ openssl \ req \ -new \ -key "private_key.pem" \ -out "certificate_request.csr" \ -utf8 \ Human readable: .. code:: shell openssl \ req \ -in "certificate_request.csr" \ -noout \ -text \ Create a Certification Authority ================================ init ---- .. code:: shell rm --force --recursive "demoCA" mkdir --parents "demoCA/newcerts" echo -n "" > "demoCA/index.txt" echo "00" > "demoCA/serial" request ------- .. code:: shell echo -n "\ US Region / County (code) City / Place Decreasing / Hierarchy Name Name alias@domain.tld . . " \ | \ openssl \ req \ -new \ -key "name.pem" \ -out "name.csr" \ -utf8 \ signature --------- .. code:: shell openssl \ ca \ -selfsign \ -in "name.csr" \ -keyfile "name.pem" \ -notext \ -out "name.crt" \ -startdate 20160801000000Z \ -enddate 20180801000000Z \ -batch \ -extensions "v3_ca" \ ---- quick & dirty variant --------------------- .. code:: shell openssl \ ca \ -selfsign \ -keyfile "private_key.pem" \ Sign request ============ .. code:: shell openssl \ req \ -in "certificate_request.csr" \ -key "private_key.pem" \ -x509 \ -set_serial 0 \ -days 730 \ -out "certificate.crt" \