2.1 KiB
OpenSSL Certificate Chain
Version: 0.0.0.5
This documentation contains the complete set of commands to create a new OpenSSL self-signed certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included in a certificate by adding each domain as a comma-delimited string. Each key can be encrypted or unencrypted, with multiple encryption options; AES is recommended.
Create Certificate Authority Key
openssl genrsa -aes256 -out ca-key.pem 4096
Verify Certificate Authority Key
openssl rsa -noout -text -in ca-key.pem
Create Certificate Authority Certificate
openssl req -new -x509 -days 3653 -extensions v3_ca -key ca-key.pem -out ca-crt.pem
Convert Certificate to PEM Format
openssl x509 -in ca-crt.pem -out ca-crt.pem -outform PEM
Verify Certificate Authority Certificate
openssl x509 -noout -text -in ca-crt.pem
Create Intermediate Certificate Authority Key
openssl genrsa -aes256 -out intermediate-key.pem 4096
Verify Intermediate Certificate Authority Key
openssl rsa -noout -text -in intermediate-key.pem
Create Intermediate Certificate Signing Request
openssl req -new -sha256 -key intermediate-key.pem -out intermediate-csr.pem
Create Intermediate Certificate Authority Certificate
openssl ca -config intermediate.conf -extensions v3_intermediate_ca -days 1096 -notext -md sha256 -in intermediate-csr.pem -out intermediate-crt.pem
Verify Intermediate Certificate Authority Certificate
openssl x509 -noout -text -in intermediate-crt.pem
Verify Chain of Trust (CA to Intermediate)
openssl verify -CAfile ca-crt.pem intermediate-crt.pem
Create Server Key
openssl genrsa -aes256 -out server-key.pem 2048
Create Server Cerificate Signing Request
openssl req -new -sha256 -subj "/C=/ST=/L=/O=/CN=" -addext "subjectAltName = DNS.1:" -key server-key.pem -out server-csr.pem
Create Server Certificate
openssl x509 -sha256 -req -days 365 -in server-csr.pem -CA intermediate-crt.pem -CAkey intermediate-key.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out server-crt.pem