it-artikel:linux:how-to-create-a-self-signed-or-official-ssl-tls-certificate-without-questions-asked-non-interactive-on-the-command-line-interface
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | it-artikel:linux:how-to-create-a-self-signed-or-official-ssl-tls-certificate-without-questions-asked-non-interactive-on-the-command-line-interface [2022-08-31 12:30] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== How to create a self signed or official ssl tls certificate without questions asked (non-interactive) on the command line interface ====== | ||
+ | ===== Goal: ===== | ||
+ | |||
+ | |||
+ | * create a x509 server certificate for use in TLS (ssl) | ||
+ | * self signed (not official, not trusted by default) | ||
+ | * includes multiple alternative (alias) DNS hostnames (virtual hosts) | ||
+ | * includes administrative email contact | ||
+ | * create new or reuse a host's private key | ||
+ | * non interactive (no questions asked) | ||
+ | * no passphrases for private key | ||
+ | * works on UBUNTU 20.04 LTS and similar | ||
+ | |||
+ | ==== Generate self signed server certificate incl. new private key ==== | ||
+ | |||
+ | To create a new private key + self signed certificate use: | ||
+ | <code bash> | ||
+ | openssl req \ | ||
+ | -x509 \ | ||
+ | -sha256 \ | ||
+ | -nodes | ||
+ | -days 3650 \ | ||
+ | -newkey rsa:4096 \ | ||
+ | -keyout youtHostnameHere.key \ | ||
+ | -out youtHostnameHere.SELFSIGNED.$(date +%F).crt \ | ||
+ | -subj "/ | ||
+ | -addext subjectAltName=DNS: | ||
+ | -addext ' | ||
+ | -addext subjectAltName=DNS: | ||
+ | </ | ||
+ | |||
+ | To read/show a certificate in human readable format use: | ||
+ | <code bash> | ||
+ | openssl x509 -text -noout -in yourNewCertificateFileToDisplay | more | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== Generate (unprotected) private key only: ==== | ||
+ | |||
+ | <code bash> | ||
+ | openssl genrsa -out yourFqdnHostname.key 2048 | ||
+ | </ | ||
+ | |||
+ | To view/show private key in a more human readable format use: <code bash> | ||
+ | openssl rsa -text -in ourFqdnHostname.key | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | ==== Request official server certificate using existing private key (csr) ==== | ||
+ | |||
+ | <code bash> | ||
+ | openssl req \ | ||
+ | -new \ | ||
+ | -key yourKeyFile.key \ | ||
+ | -out youtHostnameHere.SELFSIGNED.$(date +%F).crt \ | ||
+ | -subj "/ | ||
+ | -addext subjectAltName=DNS: | ||
+ | -addext ' | ||
+ | -addext subjectAltName=DNS: | ||
+ | </ | ||
+ | |||
+ | To view/show CSR in human readable format use: <code bash> | ||
+ | openssl req -text -noout -in yourCsrFileHere.csr | more | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Self sign a given csr ==== | ||
+ | |||
+ | :!: **WARNING: | ||
+ | |||
+ | <code bash> | ||
+ | openssl x509 \ | ||
+ | -req | ||
+ | -sha256 | ||
+ | -days 3650 | ||
+ | -in yourCsrFileHere.csr | ||
+ | -signkey yourKeyFile.key | ||
+ | -out youtHostnameHere.SELFSIGNED.$(date +%F).crt | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ---- | ||
+ | {{tag> |
it-artikel/linux/how-to-create-a-self-signed-or-official-ssl-tls-certificate-without-questions-asked-non-interactive-on-the-command-line-interface.txt · Last modified: 2022-08-31 12:30 by 127.0.0.1