Skip to content

Instantly share code, notes, and snippets.

@ThomazPom

ThomazPom/OPENSSL Local Valid RootCA using Real CSR CHAIN.md

Last active October 3, 2024 09:43
Show Gist options
  • Save ThomazPom/d9984ab209517aa49ad58cccf3ce9367 to your computer and use it in GitHub Desktop.
Save ThomazPom/d9984ab209517aa49ad58cccf3ce9367 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
OPENSSL Local Valid RootCA using Real CSR CHAIN.md

SSL Certificate Generation Script

This script generates a self-signed root CA certificate and a server certificate using OpenSSL. It also includes subject alternative names (SANs) for custom DNS entries. The commands are structured to create certificates valid for 100 years (36500 days).

Steps:

  1. Define Subject for Certificates: The suj variable defines the subject for the certificate.

    suj="//appcompat=1/C=FR/ST=PACA/L=AP/O=\$cname/OU=Securite/CN=Thomas Benhamou/emailAddress=\$username@\$cname.com"

  2. Define Subject Alternative Name (SAN): The san variable specifies alternative domain names for the certificate.

    san="subjectAltName = DNS:*.apps.localhost,DNS:*.ports.localhost"

  3. Create a Configuration File for SAN: The following command writes the SAN configuration to san.cnf:

    echo "[v3_req]
\$san
" > san.cnf

  4. Generate Root CA Certificate: This command creates a self-signed root CA certificate, valid for 100 years:

    openssl req -x509 -nodes -newkey RSA:2048 -keyout root-ca.key -days 36500 -out root-ca.crt -addext "\$san" -subj "\$suj"

  5. Generate Server Certificate Signing Request (CSR): This command generates a CSR for the server certificate:

    openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -addext "\$san" -subj "\$suj"

  6. Sign the Server Certificate with the Root CA: This command signs the server CSR with the root CA, generating a certificate valid for 100 years:

    openssl x509 -req -CA root-ca.crt -CAkey root-ca.key -in server.csr -out server.crt -days 36500 -CAcreateserial -extfile ./san.cnf  -extensions v3_req

Full Script for Copy-Pasting:

# //s=1/ Is only here to bypass the "/ path extension"
suj="//appcompat=1/C=FR/ST=PACA/L=AP/O=$cname/OU=Securite/CN=Thomas Benhamou/emailAddress=$username@$cname.com";
san="subjectAltName = DNS:*.apps.localhost,DNS:*.ports.localhost"
echo "[v3_req]
$san
" > san.cnf

openssl req -x509 -nodes -newkey RSA:2048 -keyout root-ca.key -days 36500 -out root-ca.crt -addext "$san"  -subj "$suj"
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -addext "$san" -subj "$suj"; 
openssl x509 -req -CA root-ca.crt -CAkey root-ca.key -in server.csr -out server.crt -days 36500 -CAcreateserial -extfile ./san.cnf  -extensions v3_req ;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment