This post is just an example of how to create a simple CA and issue a TLS certificate. I will deliberately not give any explanations, because the Internet has been full of them for a long time.
It also frustrates me that people like to just copy and paste configurations and don’t realize that tons of parameters are just not needed for their needs. In my case I tried to keep it as simple as possible.
So create three files:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no # You can remove this if you don't use non-ASCII symbols utf8 = yes [req_distinguished_name] C = RU CN = "Savely Krasovsky's CA" [v3_req] keyUsage = digitalSignature
[req] distinguished_name = req_distinguished_name prompt = no utf8 = yes [req_distinguished_name] C = RU CN = "Savely Krasovsky's LAN"
keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = home.local DNS.2 = *.home.local
Now execute this:
# Generate CA cert openssl ecparam -name prime256v1 -genkey -out ca.key openssl req -new -key ca.key -config ca.cnf -out ca.csr openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt # Generate TLS cert openssl ecparam -name prime256v1 -genkey -out tls.key openssl req -new -key tls.key -config tls.cnf -out tls.csr openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key -out tls.crt -days 365 -extfile tls.ext
Of course, you can create not only TLS certs, this is just the simplest case.
Play with the
file to issue another certificate.