Axel Werner's OPEN SOURCE Knowledge Base

User Tools

Site Tools

You are here: Willkommen auf meiner persönlichen Website! » Meine IT Artikel » linux » How to create a self signed or official ssl tls certificate without questions asked (non-interactive) on the command line interface
it-artikel:linux:how-to-create-a-self-signed-or-official-ssl-tls-certificate-without-questions-asked-non-interactive-on-the-command-line-interface
no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


it-artikel:linux:how-to-create-a-self-signed-or-official-ssl-tls-certificate-without-questions-asked-non-interactive-on-the-command-line-interface [2022-08-31 12:30] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== How to create a self signed or official ssl tls certificate without questions asked (non-interactive) on the command line interface ======
  
 +===== Goal: =====
 +
 +
 +  * create a x509 server certificate for use in TLS (ssl)
 +  * self signed (not official, not trusted by default)
 +  * includes multiple alternative (alias) DNS hostnames (virtual hosts)
 +  * includes administrative email contact
 +  * create new or reuse a host's private key
 +  * non interactive (no questions asked)
 +  * no passphrases for private key
 +  * works on UBUNTU 20.04 LTS and similar
 +
 +==== Generate self signed server certificate incl. new private key ====
 +
 +To create a new private key + self signed certificate use:
 +<code bash>
 +openssl req \
 +  -x509 \
 +  -sha256 \
 +  -nodes  \
 +  -days 3650 \
 +  -newkey rsa:4096 \
 +  -keyout youtHostnameHere.key \
 +  -out youtHostnameHere.SELFSIGNED.$(date +%F).crt \
 +  -subj "/C=CountryCode/ST=StateCode/L=LocationCity/O=yourOrganisationOrFqdn/OU=yourOrganisationalUnitOrFqdn/CN=your.FqdnHost.name/emailAddress=your@email.tld/" \
 +  -addext subjectAltName=DNS:www.your.FqdnHost.name \
 +  -addext 'subjectAltName=DNS:*.your.FqdnHost.name' \
 +  -addext subjectAltName=DNS:more.FqdnHost.name 
 +</code>
 +
 +To read/show a certificate in human readable format use:
 +<code bash>
 +openssl x509 -text -noout -in yourNewCertificateFileToDisplay | more
 +</code>
 +
 +
 +
 +
 +==== Generate (unprotected) private key only: ====
 +
 +<code bash>
 +openssl genrsa -out yourFqdnHostname.key 2048
 +</code>
 +
 +To view/show private key in a more human readable format use: <code bash>
 +openssl rsa -text -in ourFqdnHostname.key  | more
 +</code>
 +
 +
 +
 +==== Request official server certificate using existing private key (csr) ====
 +
 +<code bash>
 +openssl req \
 +  -new \
 +  -key yourKeyFile.key \
 +  -out youtHostnameHere.SELFSIGNED.$(date +%F).crt \
 +  -subj "/C=CountryCode/ST=StateCode/L=LocationCity/O=yourOrganisationOrFqdn/OU=yourOrganisationalUnitOrFqdn/CN=your.FqdnHost.name/emailAddress=your@email.tld/" \
 +  -addext subjectAltName=DNS:www.your.FqdnHost.name \
 +  -addext 'subjectAltName=DNS:*.your.FqdnHost.name' \
 +  -addext subjectAltName=DNS:more.FqdnHost.name 
 +</code>
 +
 +To view/show CSR in human readable format use: <code bash>
 +openssl req -text -noout -in yourCsrFileHere.csr | more
 +</code>
 +
 +
 +==== Self sign a given csr ====
 +
 +:!: **WARNING:** This does NOT pass through the alternative DNS hostnames to the certificate!!! Also the ''-addext'' option is not available within x509 context. So this section is mostly useless atm. For better control set up a full blown CA and use the ''openssl ca'' context instead.
 +
 +<code bash>
 +openssl x509 \
 +  -req 
 +  -sha256 
 +  -days 3650 
 +  -in yourCsrFileHere.csr
 +  -signkey yourKeyFile.key
 +  -out youtHostnameHere.SELFSIGNED.$(date +%F).crt 
 +</code>
 +
 +
 +
 +
 +
 +----
 +{{tag>linux cli crt csr key openssl ca certificate ssl tls cli command line commandline }}
it-artikel/linux/how-to-create-a-self-signed-or-official-ssl-tls-certificate-without-questions-asked-non-interactive-on-the-command-line-interface.txt · Last modified: 2022-08-31 12:30 by 127.0.0.1