Managing a CA

Create the CA

1. Generate a new private key (RSA)

openssl genrsa -out privateKey.key 4096
openssl ecparam -genkey -name secp384r1 -out myCA.key

1bis. Generate a new private key (ECC)

openssl ecparam -genkey -name secp384r1 -out myCA.key

2. Create a new CA cert

openssl req -x509  -sha256 -nodes -days 1825 -key privateKey.key -out myCA.pem

Create a CSR

1. Generate a new private key (RSA)

openssl genrsa -out privateKey.key 4096
openssl ecparam -genkey -name secp384r1 -out privateKey.key

1bis. Generate a new private key (ECC)

openssl ecparam -genkey -name secp384r1 -out privateKey.key

2. Generate a CSR for an existing private key

openssl req -out CSR.csr -key privateKey.key -new

3. Create an extension file

In a file named extensions.ext:

basicConstraints=CA:FALSE
subjectAltName=@my_subject_alt_names
subjectKeyIdentifier = hash

[ my_subject_alt_names ]
DNS.1 = *.domain.local
DNS.2 = *.domain2.local

Sign the CSR

openssl x509 -req -in CSR.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out certificate.crt -days 825 -sha256 -extfile extensions.ext