nikhilgeo · July 26, 2020 13:03
diff --git a/gistfile1.txt b/gistfile1.txt
 1 Create CA

 1.1 Create keys
 openssl genrsa -out rootCA_key.key 2048
 	-des3 algorithm to encrypt the key and will require you to enter a password in order for the key file to be created.
 1.2 Create Root CA cert with constraint CA = true
 openssl req -x509 -new -nodes -key rootCA_key.key -sha256  -days 1024  -out rootCA_crt.pem -extensions v3_ca -reqexts v3_req -config /usr/local/etc/openssl/openssl.cnf

 2 Create SSL cert

 2.1 Create file named v3.ext
 authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
 subjectAltName = @alt_names
 [alt_names]
 DNS.1 = domain1.com <--- should be same as subject name
 DNS.2 = domain2.dev
 IP.3 = X.X.X.X

 2.2 Create CSR
 openssl req -new -nodes -out server_csr.csr -newkey rsa:2048 -keyout server_key.key

 2.3 Issue crt with Root CA
 openssl x509 -req -in server_csr.csr -CA rootCA_crt.pem -CAkey rootCA_key.key -CAcreateserial -out server_crt.crt -days 500 -sha256 -extfile v3.ext

 MISC:
 1) pem to crt
 openssl x509 -outform der -in rootCA_crt.pem -out rootCA_crt.crt
 2) key to pem
 openssl rsa -in server.key -text > private.pem
 3) der to crt
 openssl x509 -in burp_cacert.der -inform DER -out burp_mycert.crt

 Reference:
 This is been borrowed from below and modified to my use specific use case (IP in SAN, constraint CA = true )
 https://github.com/jetstack/cert-manager/issues/279
 https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15
 https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
 https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key
	1 Create CA

	1.1 Create keys
	openssl genrsa -out rootCA_key.key 2048
	-des3 algorithm to encrypt the key and will require you to enter a password in order for the key file to be created.
	1.2 Create Root CA cert with constraint CA = true
	openssl req -x509 -new -nodes -key rootCA_key.key -sha256 -days 1024 -out rootCA_crt.pem -extensions v3_ca -reqexts v3_req -config /usr/local/etc/openssl/openssl.cnf

	2 Create SSL cert

	2.1 Create file named v3.ext
	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
	subjectAltName = @alt_names
	[alt_names]
	DNS.1 = domain1.com <--- should be same as subject name
	DNS.2 = domain2.dev
	IP.3 = X.X.X.X

	2.2 Create CSR
	openssl req -new -nodes -out server_csr.csr -newkey rsa:2048 -keyout server_key.key

	2.3 Issue crt with Root CA
	openssl x509 -req -in server_csr.csr -CA rootCA_crt.pem -CAkey rootCA_key.key -CAcreateserial -out server_crt.crt -days 500 -sha256 -extfile v3.ext

	MISC:
	1) pem to crt
	openssl x509 -outform der -in rootCA_crt.pem -out rootCA_crt.crt
	2) key to pem
	openssl rsa -in server.key -text > private.pem
	3) der to crt
	openssl x509 -in burp_cacert.der -inform DER -out burp_mycert.crt

	Reference:
	This is been borrowed from below and modified to my use specific use case (IP in SAN, constraint CA = true )
	https://github.com/jetstack/cert-manager/issues/279
	https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15
	https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
	https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key