To generate a self-signed cert, do the following:
openssl req -config 12factor.req -new -nodes -x509 -newkey rsa:2048 -sha256 -keyout 12factor.key -out 12factor.cert -days 3650
Where 12factor.req is:
[ req ]
default_bits = 2048
default_keyfile = 12factor.key
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
prompt = no
[ subject ]
countryName = AU
stateOrProvinceName = NSW
localityName = Sydney
organizationName = Pivotal
commonName = 12factor.com
emailAddress = [email protected]
# Section x509_ext is used when generating a self-signed certificate.
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
extendedKeyUsage = serverAuth, clientAuth
# Section req_ext is used when generating a certificate signing request.
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
extendedKeyUsage = serverAuth, clientAuth
[ alternate_names ]
DNS.1 = 12factor.com
DNS.2 = *.12factor.com
Then to combine things to get a .pem
cat 12factor.key 12factor.cert > 12factor.pem
Then to extract the public key for use in validation
openssl x509 -pubkey -noout -in 12factor.pem > 12factor.pub