This documentation contains the complete set of commands to create a new OpenSSL self-signed
- certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included in a
- certificate by adding each domain as a comma-delimited string. Each key can be encrypted or unencrypted,
- with multiple encryption options; AES (aes128 or aes256) is recommended.
- Optional verification can also be performed between multiple levels of certificates to ensure the chain
+ certificate chain with V3 subjectAltName (SAN) extensions enabled. SANs can be included in a certificate
+ by adding each domain as a comma-delimited string.
Each key can be encrypted or unencrypted, with multiple encryption options; AES (aes128
+ or aes256) is recommended.
Optional verification can also be performed between multiple levels of certificates to ensure the chain of trust is valid.
-This documentation is also available in portable AsciiDoc format in my - documentation source code repository.
+This documentation is also available in portable + AsciiDoc format + in my documentation source code repository.
openssl x509 -in <CA certificate name>.pem -out
- <CA certificate name>.pem -outform PEM
openssl x509 -in <CA certificate name>.pem -out <CA certificate name>.pem -outform PEM
openssl verify -CAfile <CA certificate name>.pem
- <intermediate CA certificate name>.pem
openssl verify -CAfile <CA certificate name>.pem <intermediate CA certificate name>.pem
openssl genrsa <encryption type> -out
- <server key name>.pem <key size>
openssl genrsa <encryption type> -out <server key name>.pem <key size>
openssl rsa -noout -text -in <server key name>.pem
openssl rsa -noout -text -in <server key name>.pem
openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>"
- -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key
- <server key name>.pem -out
- <server certificate signing request name>.pem
openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>" -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key <server key name>.pem -out <server certificate signing request name>.pem
openssl x509 -sha256 -req -days <days of validity> -in
- <server certificate signing request name>.pem -CA
- <intermediate CA certificate name>.pem -CAkey
- <intermediate CA key name>.pem -extensions SAN -extfile <(cat
- /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out
- <server certificate name>.pem
openssl x509 -sha256 -req -days <days of validity> -in <server certificate signing request name>.pem -CA <intermediate CA certificate name>.pem -CAkey <intermediate CA key name>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <server certificate name>.pem
openssl x509 -noout -text -in <server certificate name>.pem
openssl x509 -noout -text -in <server certificate name>.pem
openssl verify -CAfile <intermediate CA certificate name>.pem
- <server certificate>.pem
openssl verify -CAfile <intermediate CA certificate name>.pem <server certificate>.pem