Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
openssl genrsa -out pve1.key 2048
If you want a non password protected key just remove the -des3 option
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
The certificate signing request is where you specify the details for the certificate you want to generate. This request will be processed by the owner of the Root key (you in this case since you create it earlier) to generate the certificate. (See bottom for certificate.conf example)
openssl req -new -key pve1.key -out pve1.csr -config certificate.conf
openssl req -in pve1.csr -noout -text
openssl x509 -req -in pve1.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out pve1.crt -days 500 -sha256 -extfile certificate.conf -extensions req_ext
openssl x509 -in pve1.crt -text -noout
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C = HU
ST = Budapest
L = Budapest
O = ACME
OU = ACME Inc
emailAddress = [email protected]
CN = example.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com