## Openssl commands:

```
openssl genrsa -out self-ssl.key
openssl req -new -key self-ssl.key -out self-ssl.csr -config csr.conf
openssl x509 -req -days 365 -in self-ssl.csr -signkey self-ssl.key -out self-ssl.crt -extensions req_ext -extfile csr.conf
```

> Sign from Root CA: `openssl x509 -req -days 365 -extensions req_ext -extfile csr.conf -CA RootCA.crt -CAkey RootCA.key -in self-ssl.csr -out self-ssl.crt`

## Configuration `csr.conf`:

```
[req]
default_bits = 2048
distinguished_name = dn
prompt             = no
req_extensions = req_ext

[dn]
C="TW"
ST="Taiwan"
L="Taipei"
O="YIDAS"
OU="Service"
emailAddress="yourmail@mail.com"
CN="yourdomain.com"

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.0 = *.yourdomain.com
DNS.1 = *.dev.yourdomain.com
```

> [req] is for CSR with distinguished_name setting, while [req_ext] is called for `-extensions` with creating crt with SAN(subjectAltName) setting.

## Extract information from the CSR/CRT

```
openssl req -in self-ssl.csr -text -noout
```

```
openssl x509 -in self-ssl.crt -text -noout
```

## Trsuted CA or CRT

After building self-signed RootCA or CRT, you could install it into your browser client.

If you install RootCA or parent CRT, the SAN setting in the bottom CRT could be change by server with convenience, which the installer does not need to re-install CA.