1. Create Root CA (Done once)

1.1. Create Root Key

Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!

openssl genrsa -des3 -out rootCA.key 4096

If you want a non password protected key just remove the -des3 option

1.2. Create and self sign the Root Certificate

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.

1.3. Add rootCA.crt into Trusted Root Certification Authorities

Double click to your rootCA.crt

2. Create a certificate (Done for each server)

This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA

2.1. Create the certificate key

openssl genrsa -out mydomain.com.key 2048

2.2. Create the signing (csr)

The certificate signing request is where you specify the details for the certificate you want to generate. This request will be processed by the owner of the Root key (you in this case since you create it earlier) to generate the certificate.

Important: Please mind that while creating the signign request is important to specify the Common Name providing the IP address or domain name for the service, otherwise the certificate cannot be verified.

openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=North Carolina/O=ORG/OU=ORG_UNIT/CN=mydomain.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:*.mydomain.com")) -out mydomain.com.csr

2.3. Generate the certificate using the `mydomain` csr and key along with the CA Root key

openssl x509 -req -extfile <(printf "subjectAltName=DNS:mydomain.com,DNS:*.mydomain.com") -days 5000 -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -sha256

daubac402/self-signed-certificate-with-custom-ca.md