Forked from jdeathe/openssl-self-signed-san-certificate.md
Last active
April 16, 2021 05:18
-
-
Save Rajaneeshs/c1446435db2cdd947adcbeba7183f025 to your computer and use it in GitHub Desktop.
Revisions
-
Rajaneeshs revised this gist
Mar 30, 2021 . 1 changed file with 11 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -55,3 +55,14 @@ Append the DH PARAMS to the certificate. $ cat /tmp/dhparams.pem \ >> /etc/pki/tls/certs/www.domain.localdomain.crt ``` # OR below command openssl req -newkey rsa:4096 \ -x509 \ -sha256 \ -days 365 \ -nodes \ -out www.domain.localdomain.crt \ -keyout www.domain.localdomain.key \ -subj "/C=US/ST=California/L=local/O=DEPT/OU=IT/CN=www.domain.localdomain" \ -addext "subjectAltName=DNS:www.domain.localdomain" -
jdeathe revised this gist
Feb 16, 2017 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,6 +10,8 @@ $ export SAN="DNS:www.domain.localdomain,DNS:domain.localdomain" ## Generate a configuration with the addition of the san extension. _NOTE:_ On OSX [EL Capitan] the openssl configuration file path is: `/System/Library/OpenSSL/openssl.cnf` instead of the RHEL/CentOS default of `/etc/pki/tls/openssl.cnf`. ``` $ cat \ /etc/pki/tls/openssl.cnf \ -
Feb 14, 2017 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,13 +5,13 @@ Generating a self-signed certificate is a common taks and the command to generat ## Generate a list of all required DNS names, (Note: CN will be discarded). ``` $ export SAN="DNS:www.domain.localdomain,DNS:domain.localdomain" ``` ## Generate a configuration with the addition of the san extension. ``` $ cat \ /etc/pki/tls/openssl.cnf \ - \ <<-CONFIG > /tmp/www.domain.localdomain.cnf @@ -24,7 +24,7 @@ CONFIG ## Generate the certificate using the additional parameters -config, -reqext, and -extensions: ``` $ openssl req \ -x509 \ -sha256 \ -nodes \ -
Feb 14, 2017 . 1 changed file with 16 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -37,3 +37,19 @@ openssl req \ -keyout /etc/pki/tls/private/www.domain.localdomain.crt \ -out /etc/pki/tls/certs/www.domain.localdomain.crt ``` ## Generate a new Diffie-Hellman Group _Warning!_ this takes a while... ``` $ openssl dhparam \ -out /tmp/dhparams.pem \ 2048 ``` Append the DH PARAMS to the certificate. ``` $ cat /tmp/dhparams.pem \ >> /etc/pki/tls/certs/www.domain.localdomain.crt ``` -
Feb 7, 2017 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,7 +5,7 @@ Generating a self-signed certificate is a common taks and the command to generat ## Generate a list of all required DNS names, (Note: CN will be discarded). ``` export SAN="DNS:www.domain.localdomain,DNS:domain.localdomain" ``` ## Generate a configuration with the addition of the san extension. -
Feb 7, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,39 @@ # How to generate a self-signed SAN SSL/TLS certificate using openssl Generating a self-signed certificate is a common taks and the command to generate one with `openssl` is well known and well documented. Generating a certificate that includes subjectAltName is not so straght forward however. The following example demonstrates how to generate a SAN certificate without making a permanent change to the openssl configuration. ## Generate a list of all required DNS names, (Note: CN will be discarded). ``` SAN="DNS:www.domain.localdomain,DNS:domain.localdomain" ``` ## Generate a configuration with the addition of the san extension. ``` cat \ /etc/pki/tls/openssl.cnf \ - \ <<-CONFIG > /tmp/www.domain.localdomain.cnf [ san ] subjectAltName="${SAN:[email protected]}" CONFIG ``` ## Generate the certificate using the additional parameters -config, -reqext, and -extensions: ``` openssl req \ -x509 \ -sha256 \ -nodes \ -newkey rsa:2048 \ -days 365 \ -reqexts san \ -extensions san \ -subj "/CN=www.domain.localdomain" \ -config /tmp/www.domain.localdomain.cnf \ -keyout /etc/pki/tls/private/www.domain.localdomain.crt \ -out /etc/pki/tls/certs/www.domain.localdomain.crt ```