helios2k6 · March 26, 2024 13:31 · Mar 26, 2024 · Mar 25, 2024 · Mar 25, 2024 · Mar 25, 2024
diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -10,6 +10,8 @@ openssl ecparam -genkey -name prime256v1 -noout -out <ROOT_CA_KEY>
 
 ## Create and self sign the Root Certificate
 
+### Method A: Interactive
+
 ```bash
 openssl req -x509 -new -nodes -key <ROOT_CA_KEY> -sha256 -days 1024 -out <ROOT_CA_CERT>
 ```
@@ -24,6 +26,21 @@ Be sure to set the following traits:
 7. Email Address = [email protected]
 
 
+### Method B: One-Liner
+
+```
+openssl \
+    req \
+    -x509 \
+    -new \
+    -nodes \
+    -key <ROOT_CA_KEY> \
+    -sha256 \
+    -days 3652 \
+    -subj "/C=<YOUR COUNTRY>/ST=<YOUR STATE>/L=<YOUR CITY>/O=<YOUR COMPANY NAME>/OU=<YOUR TEAM NAME>/CN=<YOUR DOMAIN NAME>" \
+    -out <ROOT_CA_CERT>
+```
+
 Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
 
 

diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -61,7 +61,7 @@ openssl req \
     -new \
     -sha256 \
     -key <SERVER_PRIVATE_KEY> \
-    -subj "/C=US/ST=CA/O=<YOUR ORG NAME>/CN=<YOUR DOMAIN NAME>" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:YOUR_DOMAIN_NAME")) \
+    -subj "/C=<YOUR COUNTRY>/ST=<YOUR STATE>/L=<YOUR CITY>/O=<YOUR COMPANY NAME>/OU=<YOUR TEAM NAME>/CN=<YOUR DOMAIN NAME>" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:YOUR_DOMAIN_NAME")) \
     -out <SERVER_CERT_REQUEST>
 ```
 
@@ -70,7 +70,7 @@ If you need to pass additional config you can use the `-config` parameter, here
 ```
 openssl req -new -sha256 \
     -key <SERVER_PRIVATE_KEY> \
-    -subj "/C=US/ST=CA/O=<YOUR ORG NAME>/CN=<YOUR DOMAIN NAME>" \
+    -subj "/C=<YOUR COUNTRY>/ST=<YOUR STATE>/L=<YOUR CITY>/O=<YOUR COMPANY NAME>/OU=<YOUR TEAM NAME>/CN=<YOUR DOMAIN NAME>" \
     -reqexts SAN \
     -config <(cat /etc/ssl/openssl.cnf \
         <(printf "\n[SAN]\nsubjectAltName=DNS:<EXAMPLE_DOMAIN_NAME>,DNS:<EXAMPLE_DOMAIN_NAME>")) \

diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -18,10 +18,10 @@ Be sure to set the following traits:
 1. Country (C) = US
 2. State (ST) = Illinois
 3. Locality (L) = Chicago
-4. Organization (O) = "Circle Quant Inc."
-5. Organizational Unit (OU) = "Engineering"
-6. Common Name (CN) = "circlequant"
-7. Email Address = "[email protected]"
+4. Organization (O) = Circle Quant Inc.
+5. Organizational Unit (OU) = Engineering
+6. Common Name (CN) = circlequant
+7. Email Address = [email protected]
 
 
 Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.

diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -14,6 +14,16 @@ openssl ecparam -genkey -name prime256v1 -noout -out <ROOT_CA_KEY>
 openssl req -x509 -new -nodes -key <ROOT_CA_KEY> -sha256 -days 1024 -out <ROOT_CA_CERT>
 ```
 
+Be sure to set the following traits:
+1. Country (C) = US
+2. State (ST) = Illinois
+3. Locality (L) = Chicago
+4. Organization (O) = "Circle Quant Inc."
+5. Organizational Unit (OU) = "Engineering"
+6. Common Name (CN) = "circlequant"
+7. Email Address = "[email protected]"
+
+
 Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
 
 

diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -127,3 +127,8 @@ openssl pkcs8 -topk8 -inform PEM -outform DER -in filename -out filename -nocryp
 ```
 
 ref: https://stackoverflow.com/questions/8290435/convert-pem-traditional-private-key-to-pkcs8-private-key
+
+## Convert Old-School EC-Key PEM Format to PKCS8 That is PEM Encoded
+```
+openssl pkcs8 -topk8 -inform PEM -in <filename> -out <filename> -nocrypt
+```
diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -5,13 +5,13 @@
 **Attention:** this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
 
 ```bash
-openssl ecparam -genkey -name prime256v1 -noout -out rootCA.key
+openssl ecparam -genkey -name prime256v1 -noout -out <ROOT_CA_KEY>
 ```
 
 ## Create and self sign the Root Certificate
 
 ```bash
-openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
+openssl req -x509 -new -nodes -key <ROOT_CA_KEY> -sha256 -days 1024 -out <ROOT_CA_CERT>
 ```
 
 Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
@@ -24,7 +24,7 @@ This procedure needs to be followed for each server/appliance that needs a trust
 ## Create the certificate key
 
 ```
-openssl ecparam -name prime256v1 -genkey -noout -out mydomain.com.key
+openssl ecparam -name prime256v1 -genkey -noout -out <SERVER_PRIVATE_KEY>
 ```
 
 ## Create the signing  (csr)
@@ -39,7 +39,7 @@ This request will be processed by the owner of the Root key (you in this case si
 If you generate the csr in this way, openssl will ask you questions about the certificate to generate like the organization details and the `Common Name` (CN) that is the web address you are creating the certificate for, e.g `mydomain.com`.
 
 ```
-openssl req -new -key mydomain.com.key -out mydomain.com.csr
+openssl req -new -key <SERVER_PRIVATE_KEY> -out <SERVER_CERT_REQUEST>
 ```
 
 ### Method B (One Liner)
@@ -50,28 +50,28 @@ This method generates the same output as Method A but it's suitable for use in y
 openssl req \
     -new \
     -sha256 \
-    -key mydomain.com.key \
-    -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:YOUR_DOMAIN_NAME")) \
-    -out mydomain.com.csr
+    -key <SERVER_PRIVATE_KEY> \
+    -subj "/C=US/ST=CA/O=<YOUR ORG NAME>/CN=<YOUR DOMAIN NAME>" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:YOUR_DOMAIN_NAME")) \
+    -out <SERVER_CERT_REQUEST>
 ```
 
 If you need to pass additional config you can use the `-config` parameter, here for example I want to add alternative names to my certificate.
 
 ```
 openssl req -new -sha256 \
-    -key mydomain.com.key \
-    -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" \
+    -key <SERVER_PRIVATE_KEY> \
+    -subj "/C=US/ST=CA/O=<YOUR ORG NAME>/CN=<YOUR DOMAIN NAME>" \
     -reqexts SAN \
     -config <(cat /etc/ssl/openssl.cnf \
-        <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \
-    -out mydomain.com.csr
+        <(printf "\n[SAN]\nsubjectAltName=DNS:<EXAMPLE_DOMAIN_NAME>,DNS:<EXAMPLE_DOMAIN_NAME>")) \
+    -out <SERVER_CERT_REQUEST>
 ```
 
 
 ## Verify the csr's content
 
 ```
-openssl req -in mydomain.com.csr -noout -text
+openssl req -in <SERVER_CERT_REQUEST> -noout -text
 ```
 
 ## Generate the certificate using the `mydomain` csr and key along with the CA Root key
@@ -80,11 +80,11 @@ openssl req -in mydomain.com.csr -noout -text
 openssl x509 \
     -req \
     -extfile <(printf "subjectAltName=DNS:YOUR_DOMAIN_NAME") \
-    -in mydomain.com.csr \
-    -CA root_ca.crt \
-    -CAkey root_ca.key \
+    -in <SERVER_CERT_REQUEST> \
+    -CA <ROOT_CA_CERT> \
+    -CAkey <ROOT_CA_CERT_KEY> \
     -CAcreateserial \
-    -out mydomain.com.crt \
+    -out <SERVER_CERT> \
     -days 500 \
     -sha256
 ```
@@ -93,12 +93,12 @@ If you want to make the certificate an intermediate certificate authority, use t
 ```
 openssl x509 \
     -req \
-    -extfile <(printf "basicConstraints=CA:TRUE\nsubjectAltName=DNS:YOUR_DOMAIN_NAME") \
-    -in mydomain.com.csr \
-    -CA root_ca.crt \
-    -CAkey root_ca.key \
+    -extfile <(printf "basicConstraints=CA:TRUE\nsubjectAltName=DNS:<YOUR_DOMAIN_NAME>") \
+    -in <SERVER_CERT_REQUEST> \
+    -CA <ROOT_CA_CERT> \
+    -CAkey <ROOT_CA_CERT_KEY> \
     -CAcreateserial \
-    -out mydomain.com.crt \
+    -out <SERVER_CERT> \
     -days 500 \
     -sha256
 ```
@@ -108,13 +108,13 @@ In general, you can look at the different extension options at: https://www.open
 ## Verify the certificate's content
 
 ```
-openssl x509 -in mydomain.com.crt -text -noout
+openssl x509 -in <SERVER_CERT> -text -noout
 ```
 
 ## Verify Root CA -> Client CA Relationship
 
 ```
-openssl verify -CAfile root.crt -purpose sslclient client.crt
+openssl verify -CAfile <ROOT_CA_CERT> -purpose sslclient <INTERMEDIATE_CA_CERT>
 ```
 
 [ref](https://stackoverflow.com/questions/18497299/psql-fatal-connection-requires-a-valid-client-certificate)

diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -47,7 +47,12 @@ openssl req -new -key mydomain.com.key -out mydomain.com.csr
 This method generates the same output as Method A but it's suitable for use in your automation :) .
 
 ```
-openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:YOUR_DOMAIN_NAME")) -out mydomain.com.csr
+openssl req \
+    -new \
+    -sha256 \
+    -key mydomain.com.key \
+    -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:YOUR_DOMAIN_NAME")) \
+    -out mydomain.com.csr
 ```
 
 If you need to pass additional config you can use the `-config` parameter, here for example I want to add alternative names to my certificate.
@@ -72,12 +77,30 @@ openssl req -in mydomain.com.csr -noout -text
 ## Generate the certificate using the `mydomain` csr and key along with the CA Root key
 
 ```
-openssl x509 -req -extfile <(printf "subjectAltName=DNS:YOUR_DOMAIN_NAME") -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
+openssl x509 \
+    -req \
+    -extfile <(printf "subjectAltName=DNS:YOUR_DOMAIN_NAME") \
+    -in mydomain.com.csr \
+    -CA root_ca.crt \
+    -CAkey root_ca.key \
+    -CAcreateserial \
+    -out mydomain.com.crt \
+    -days 500 \
+    -sha256
 ```
 
 If you want to make the certificate an intermediate certificate authority, use the following command instead:
 ```
-openssl x509 -req -extfile <(printf "basicConstraints=CA:TRUE\nsubjectAltName=DNS:YOUR_DOMAIN_NAME") -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
+openssl x509 \
+    -req \
+    -extfile <(printf "basicConstraints=CA:TRUE\nsubjectAltName=DNS:YOUR_DOMAIN_NAME") \
+    -in mydomain.com.csr \
+    -CA root_ca.crt \
+    -CAkey root_ca.key \
+    -CAcreateserial \
+    -out mydomain.com.crt \
+    -days 500 \
+    -sha256
 ```
 
 In general, you can look at the different extension options at: https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html

diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -88,6 +88,14 @@ In general, you can look at the different extension options at: https://www.open
 openssl x509 -in mydomain.com.crt -text -noout
 ```
 
+## Verify Root CA -> Client CA Relationship
+
+```
+openssl verify -CAfile root.crt -purpose sslclient client.crt
+```
+
+[ref](https://stackoverflow.com/questions/18497299/psql-fatal-connection-requires-a-valid-client-certificate)
+
 ## Convert a PEM Format to PKS-8 
 PEM format is the default output format for all keys and certs. To convert to the PKS-8 format (which is needed for Postgresql), run the following command:
 

diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -75,6 +75,13 @@ openssl req -in mydomain.com.csr -noout -text
 openssl x509 -req -extfile <(printf "subjectAltName=DNS:YOUR_DOMAIN_NAME") -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
 ```
 
+If you want to make the certificate an intermediate certificate authority, use the following command instead:
+```
+openssl x509 -req -extfile <(printf "basicConstraints=CA:TRUE\nsubjectAltName=DNS:YOUR_DOMAIN_NAME") -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
+```
+
+In general, you can look at the different extension options at: https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html
+
 ## Verify the certificate's content
 
 ```

diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -32,7 +32,7 @@ openssl ecparam -name prime256v1 -genkey -noout -out mydomain.com.key
 The certificate signing request is where you specify the details for the certificate you want to generate.
 This request will be processed by the owner of the Root key (you in this case since you create it earlier) to generate the certificate.
 
-**Important:** Please mind that while creating the signign request is important to specify the `Common Name` providing the IP address or domain name for the service, otherwise the certificate cannot be verified.
+**Important:** Please mind that while creating the signing request, it is important to specify the `Common Name` providing the IP address or domain name for the service, otherwise the certificate cannot be verified.
 
 ### Method A (Interactive)
 

diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -88,4 +88,4 @@ PEM format is the default output format for all keys and certs. To convert to th
 openssl pkcs8 -topk8 -inform PEM -outform DER -in filename -out filename -nocrypt
 ```
 
-(ref)[https://stackoverflow.com/questions/8290435/convert-pem-traditional-private-key-to-pkcs8-private-key]
+ref: https://stackoverflow.com/questions/8290435/convert-pem-traditional-private-key-to-pkcs8-private-key
diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -81,3 +81,11 @@ openssl x509 -req -extfile <(printf "subjectAltName=DNS:YOUR_DOMAIN_NAME") -in m
 openssl x509 -in mydomain.com.crt -text -noout
 ```
 
+## Convert a PEM Format to PKS-8 
+PEM format is the default output format for all keys and certs. To convert to the PKS-8 format (which is needed for Postgresql), run the following command:
+
+```
+openssl pkcs8 -topk8 -inform PEM -outform DER -in filename -out filename -nocrypt
+```
+
+(ref)[https://stackoverflow.com/questions/8290435/convert-pem-traditional-private-key-to-pkcs8-private-key]
diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -34,8 +34,6 @@ This request will be processed by the owner of the Root key (you in this case si
 
 **Important:** Please mind that while creating the signign request is important to specify the `Common Name` providing the IP address or domain name for the service, otherwise the certificate cannot be verified.
 
-I will describe here two ways to gener
-
 ### Method A (Interactive)
 
 If you generate the csr in this way, openssl will ask you questions about the certificate to generate like the organization details and the `Common Name` (CN) that is the web address you are creating the certificate for, e.g `mydomain.com`.
@@ -49,7 +47,7 @@ openssl req -new -key mydomain.com.key -out mydomain.com.csr
 This method generates the same output as Method A but it's suitable for use in your automation :) .
 
 ```
-openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" -out mydomain.com.csr
+openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:YOUR_DOMAIN_NAME")) -out mydomain.com.csr
 ```
 
 If you need to pass additional config you can use the `-config` parameter, here for example I want to add alternative names to my certificate.
@@ -74,7 +72,7 @@ openssl req -in mydomain.com.csr -noout -text
 ## Generate the certificate using the `mydomain` csr and key along with the CA Root key
 
 ```
-openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -extensions v3_ca -out mydomain.com.crt -days 500 -sha256
+openssl x509 -req -extfile <(printf "subjectAltName=DNS:YOUR_DOMAIN_NAME") -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
 ```
 
 ## Verify the certificate's content

diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -74,7 +74,7 @@ openssl req -in mydomain.com.csr -noout -text
 ## Generate the certificate using the `mydomain` csr and key along with the CA Root key
 
 ```
-openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -addext -out mydomain.com.crt -days 500 -sha256
+openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -extensions v3_ca -out mydomain.com.crt -days 500 -sha256
 ```
 
 ## Verify the certificate's content

diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -74,7 +74,7 @@ openssl req -in mydomain.com.csr -noout -text
 ## Generate the certificate using the `mydomain` csr and key along with the CA Root key
 
 ```
-openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
+openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -addext -out mydomain.com.crt -days 500 -sha256
 ```
 
 ## Verify the certificate's content

diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -5,12 +5,9 @@
 **Attention:** this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
 
 ```bash
-openssl genrsa -des3 -out rootCA.key 4096
+openssl ecparam -genkey -name prime256v1 -noout -out rootCA.key
 ```
 
-If you want a non password protected key just remove the `-des3` option
-
-
 ## Create and self sign the Root Certificate
 
 ```bash
@@ -27,7 +24,7 @@ This procedure needs to be followed for each server/appliance that needs a trust
 ## Create the certificate key
 
 ```
-openssl genrsa -out mydomain.com.key 2048
+openssl ecparam -name prime256v1 -genkey -noout -out mydomain.com.key
 ```
 
 ## Create the signing  (csr)

diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -58,7 +58,7 @@ openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./
 If you need to pass additional config you can use the `-config` parameter, here for example I want to add alternative names to my certificate.
 
 ```
-openssl req -new -sha256 \  
+openssl req -new -sha256 \
     -key mydomain.com.key \
     -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" \
     -reqexts SAN \

diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -43,15 +43,19 @@ I will describe here two ways to gener
 
 If you generate the csr in this way, openssl will ask you questions about the certificate to generate like the organization details and the `Common Name` (CN) that is the web address you are creating the certificate for, e.g `mydomain.com`.
 
-If you need to provide additional addresses (like the www subdomain) you need to provide a configuration file, so I suggest you to use the Method B.
-
 ```
 openssl req -new -key mydomain.com.key -out mydomain.com.csr
 ```
 
-### Method B (One Liner, non-interactive)
+### Method B (One Liner)
 
-This method generates the same output as Method A but allows you to specify additional web addresses in the form of Alternative Names and it's also a one liner you can use in your automation scripts since it is non-interactive.
+This method generates the same output as Method A but it's suitable for use in your automation :) .
+
+```
+openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" -out mydomain.com.csr
+```
+
+If you need to pass additional config you can use the `-config` parameter, here for example I want to add alternative names to my certificate.
 
 ```
 openssl req -new -sha256 \  
@@ -63,9 +67,22 @@ openssl req -new -sha256 \
     -out mydomain.com.csr
 ```
 
+
+## Verify the csr's content
+
+```
+openssl req -in mydomain.com.csr -noout -text
+```
+
 ## Generate the certificate using the `mydomain` csr and key along with the CA Root key
 
 ```
 openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
 ```
 
+## Verify the certificate's content
+
+```
+openssl x509 -in mydomain.com.crt -text -noout
+```
+
diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -30,15 +30,39 @@ This procedure needs to be followed for each server/appliance that needs a trust
 openssl genrsa -out mydomain.com.key 2048
 ```
 
-## Create the signing request
+## Create the signing  (csr)
 
-**Important:** Please mind that while creating the signign request is important to specify the `Common Name` providing the IP address or URL for the service, otherwise the certificate
-cannot be verified
+The certificate signing request is where you specify the details for the certificate you want to generate.
+This request will be processed by the owner of the Root key (you in this case since you create it earlier) to generate the certificate.
+
+**Important:** Please mind that while creating the signign request is important to specify the `Common Name` providing the IP address or domain name for the service, otherwise the certificate cannot be verified.
+
+I will describe here two ways to gener
+
+### Method A (Interactive)
+
+If you generate the csr in this way, openssl will ask you questions about the certificate to generate like the organization details and the `Common Name` (CN) that is the web address you are creating the certificate for, e.g `mydomain.com`.
+
+If you need to provide additional addresses (like the www subdomain) you need to provide a configuration file, so I suggest you to use the Method B.
 
 ```
 openssl req -new -key mydomain.com.key -out mydomain.com.csr
 ```
 
+### Method B (One Liner, non-interactive)
+
+This method generates the same output as Method A but allows you to specify additional web addresses in the form of Alternative Names and it's also a one liner you can use in your automation scripts since it is non-interactive.
+
+```
+openssl req -new -sha256 \  
+    -key mydomain.com.key \
+    -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" \
+    -reqexts SAN \
+    -config <(cat /etc/ssl/openssl.cnf \
+        <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \
+    -out mydomain.com.csr
+```
+
 ## Generate the certificate using the `mydomain` csr and key along with the CA Root key
 
 ```

diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -5,7 +5,7 @@
 **Attention:** this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
 
 ```bash
-openssl genrsa -des3 -out rootCA.key 2048
+openssl genrsa -des3 -out rootCA.key 4096
 ```
 
 If you want a non password protected key just remove the `-des3` option
@@ -14,7 +14,7 @@ If you want a non password protected key just remove the `-des3` option
 ## Create and self sign the Root Certificate
 
 ```bash
-openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
+openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
 ```
 
 Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
@@ -42,6 +42,6 @@ openssl req -new -key mydomain.com.key -out mydomain.com.csr
 ## Generate the certificate using the `mydomain` csr and key along with the CA Root key
 
 ```
-openssl x509 -req -in mydomain.com.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
+openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
 ```
 
diff --git a/self-signed-certificate-with-custom-ca.md b/self-signed-certificate-with-custom-ca.md
@@ -0,0 +1,47 @@
+# Create Root CA (Done once)
+
+## Create Root Key
+
+**Attention:** this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
+
+```bash
+openssl genrsa -des3 -out rootCA.key 2048
+```
+
+If you want a non password protected key just remove the `-des3` option
+
+
+## Create and self sign the Root Certificate
+
+```bash
+openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
+```
+
+Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
+
+
+# Create a certificate (Done for each server)
+
+This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA
+
+## Create the certificate key
+
+```
+openssl genrsa -out mydomain.com.key 2048
+```
+
+## Create the signing request
+
+**Important:** Please mind that while creating the signign request is important to specify the `Common Name` providing the IP address or URL for the service, otherwise the certificate
+cannot be verified
+
+```
+openssl req -new -key mydomain.com.key -out mydomain.com.csr
+```
+
+## Generate the certificate using the `mydomain` csr and key along with the CA Root key
+
+```
+openssl x509 -req -in mydomain.com.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
+```
+
No results found