Skip to content

Instantly share code, notes, and snippets.

@koonix

koonix/openssl-ed25519-certs.md

Last active July 12, 2025 10:52
Show Gist options
  • Save koonix/3cfa46933979deaadabdce270b46b2e3 to your computer and use it in GitHub Desktop.
Save koonix/3cfa46933979deaadabdce270b46b2e3 to your computer and use it in GitHub Desktop.
Download ZIP
Creating Self-Signed ED25519 CA and Certificates
Raw
openssl-ed25519-certs.md

Creating Self-Signed ED25519 CA and Certificates

IMPORTANT: the Common Name (CN) of the servers should be different from that of the CA. Otherwise, things won't work on servers that use OpenSSL.

CA

openssl genpkey -algorithm ed25519 > ca-key.pem

openssl req -x509 -new -sha512 -days 365250 -subj '/CN=ca' -key ca-key.pem -out ca-cert.pem

Servers

openssl genpkey -algorithm ed25519 > server-key.pem

openssl req -new -sha512 -subj '/CN=server' -key server-key.pem -out server-csr.pem

openssl x509 -days 365250 -req -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial  -out server-cert.pem

Note for setting the SAN (Subject Alternative Name)

For setting the SAN of the server, add this option to the last command (openssl x509 ...):

-extfile <(printf "subjectAltName=my.san.com")

For adding an IP SAN:

-extfile <(printf "subjectAltName=IP:1.2.3.4")

Verify

openssl verify -verbose -CAfile ca-cert.pem server-cert.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment