To create a new private key + self signed certificate use:
openssl req \ -x509 \ -sha256 \ -nodes \ -days 3650 \ -newkey rsa:4096 \ -keyout youtHostnameHere.key \ -out youtHostnameHere.SELFSIGNED.$(date +%F).crt \ -subj "/C=CountryCode/ST=StateCode/L=LocationCity/O=yourOrganisationOrFqdn/OU=yourOrganisationalUnitOrFqdn/CN=your.FqdnHost.name/emailAddress=your@email.tld/" \ -addext subjectAltName=DNS:www.your.FqdnHost.name \ -addext 'subjectAltName=DNS:*.your.FqdnHost.name' \ -addext subjectAltName=DNS:more.FqdnHost.name
To read/show a certificate in human readable format use:
openssl x509 -text -noout -in yourNewCertificateFileToDisplay | more
openssl genrsa -out yourFqdnHostname.key 2048
To view/show private key in a more human readable format use:
openssl rsa -text -in ourFqdnHostname.key | more
openssl req \ -new \ -key yourKeyFile.key \ -out youtHostnameHere.SELFSIGNED.$(date +%F).crt \ -subj "/C=CountryCode/ST=StateCode/L=LocationCity/O=yourOrganisationOrFqdn/OU=yourOrganisationalUnitOrFqdn/CN=your.FqdnHost.name/emailAddress=your@email.tld/" \ -addext subjectAltName=DNS:www.your.FqdnHost.name \ -addext 'subjectAltName=DNS:*.your.FqdnHost.name' \ -addext subjectAltName=DNS:more.FqdnHost.name
To view/show CSR in human readable format use:
openssl req -text -noout -in yourCsrFileHere.csr | more
WARNING: This does NOT pass through the alternative DNS hostnames to the certificate!!! Also the -addext
option is not available within x509 context. So this section is mostly useless atm. For better control set up a full blown CA and use the openssl ca
context instead.
openssl x509 \ -req -sha256 -days 3650 -in yourCsrFileHere.csr -signkey yourKeyFile.key -out youtHostnameHere.SELFSIGNED.$(date +%F).crt