+ Inferencium+
+
+ + + + + + + +
This documentation contains the complete set of commands to create a new OpenSSL self-signed
+ certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included
+ in a certificate by adding each domain as a comma-delimited string. Each key can be encrypted or
+ unencrypted, with multiple encryption options; AES (aes128 or aes256)
+ is recommended. Optional verification can also be performed between multiple levels of
+ certificates to ensure the chain of trust is valid.
This documentation is also available in portable AsciiDoc format in my
+ documentation source code repository.
+ Table of Contents
+
+
+
+
+
+ Convert Certificate to PEM Format
+ openssl x509 -in <CA certificate name>.pem -out <CA certificate name>.pem -outform PEMVerify Chain of Trust (CA to Intermediate)
+ openssl verify -CAfile <CA certificate name>.pem <intermediate CA certificate name>.pemCreate Server Key
+ openssl genrsa <encryption type> -out <server key name>.pem <key size>Verify Server Key
+ openssl rsa -noout -text -in <server key name>.pemCreate Server Certificate Signing Request
+ openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>" -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key <server key name>.pem -out <server certificate signing request name>.pemCreate Server Certificate
+ openssl x509 -sha256 -req -days <days of validity> -in <server certificate signing request name>.pem -CA <intermediate CA certificate name>.pem -CAkey <intermediate CA key name>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <server certificate name>.pemVerify Server Certificate
+ openssl x509 -noout -text -in <server certificate name>.pemVerify Chain of Trust (Intermediate to Server)
+ openssl verify -CAfile <intermediate CA certificate name>.pem <server certificate>.pem