A service of Daily Data, Inc.
Contact Form

Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace:
software:openssl:createcert

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
software:openssl:createcert [2025/10/19 21:20] rodolicosoftware:openssl:createcert [2025/10/19 23:31] (current) rodolico
Line 26: Line 26:
 Here is an example of an ext file which has been merged with an openssl.cnf file to allow it to be used for both functions. Here is an example of an ext file which has been merged with an openssl.cnf file to allow it to be used for both functions.
  
-<code conf>+<code conf www.example.local.ext>
 [ req ] [ req ]
 default_bits       = 2048 # default key size default_bits       = 2048 # default key size
Line 78: Line 78:
  
 Private key generation is the same as it was for the CA, except we do not want a password in most cases. If we have a password, it would require you to enter the password every time a service was restarted. Private key generation is the same as it was for the CA, except we do not want a password in most cases. If we have a password, it would require you to enter the password every time a service was restarted.
 +
 +Here, we're creating a private key named www.example.internal.key. This allows us to know which key this is for. Also note we did not include the -des3. Leaving off the encryption algorithm tells genpkey that we don't want to encrypt the key.
 +
 +<code bash>
 +openssl \
 +   genpkey \
 +   -algorithm RSA \
 +   --outform PEM \
 +   --out www.example.local.key \
 +   --pkeyopt rsa_keygen_bits:2048
 +</code>
  
 ==== Create CSR (Request) ==== ==== Create CSR (Request) ====
 +Creating a Certificate Signing Request is simpler since we have the configuration file created earlier. Basically, we call openssl with the req flag and tell it what to do.
 +
 +<code bash>
 +openssl \
 +   req \
 +   -new \
 +   -key www.example.local.key \
 +   -out www.example.local.csr \
 +   -config www.example.local.ext
 +</code>
 +
 +You can almost read this in english. Create a new (-new) signing request (req) using the key www.example.local.key, sending the output to www.example.local.csr, using the parameters found in the config file www.example.local.ext.
 +
 ==== Generate Certificate and sign ==== ==== Generate Certificate and sign ====
 +
 +The certificate file is what all of this is about. We generate it using the Signing Request (csr), signing with the key.
 +
 +<code bash>
 +openssl \
 +   x509 \
 +   -req \
 +   -in www.example.local.csr \
 +   -CA vanduzen_CA.pem \
 +   -CAkey vanduzen_CA.key \
 +   -CAcreateserial \
 +   -out www.example.local.crt \
 +   -days 365 \
 +   -sha256 \
 +   -extfile www.example.local.ext
 +</code>
 +
 +===== Automation =====
 +
 +===== openssl ca function =====
 +
 <code cnf> <code cnf>
 [ ca ] [ ca ]
software/openssl/createcert.1760926803.txt.gz · Last modified: 2025/10/19 21:20 by rodolico