A quick guide for creating self-signed certificates using OpenSSL

self_signed_certs.md

Creating a Self-Signed Certificate

Prerequisites

• You'll need to install OpenSSL to create and sign certificates.
  • Linux: sudo apt-get install openssl
  • MacOS: brew install openssl

Getting Started

1. Create a root key for your new certificate authority

   • openssl genrsa -out root_ca.key 2048

2. Use the root key to sign a root certificate

   • openssl req -x509 -new -nodes -key root_ca.key -sha256 -days 1024 -out root_ca.pem

3. Create a private key

   • openssl genrsa -out server.key 2048

4. Create a certificate signing request

   • When prompted, set the Common Name equal to the IP address or domain name at which your certificate will be found
   • openssl req -new -key server.key -out server.csr

5. Sign the CSR with your root key and root certificate

   • If you are creating a certificate for an IP address:

     • openssl x509 -req -extfile <(printf "subjectAltName=IP:127.0.0.1") -in server.csr -CA root_ca.pem -CAkey root_ca.key -CAcreateserial -out server.crt -days 3650 -sha256

   • If you are creating a certificate for a domain name:

     • openssl x509 -req -extfile <(printf "subjectAltName=DNS:example.com") -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256

Hello, there is a mistake in the last command - incorrect name for root certificate and key. It is rootCA.pem and rootCA.key but must be root_ca.pem and root_ca.key

cp /path/to/root-ca.pem /usr/local/share/ca-certificates
sudo update-ca-certificates
Provides for updating CA (Certificate Authority) certificates on Linux systems