This post is just an example of how to create a simple CA and issue a TLS certificate. I will deliberately not give any explanations, because the Internet has been full of them for a long time.
It also frustrates me that people like to just copy and paste configurations and don’t realize that tons of parameters are just not needed for their needs. In my case I tried to keep it as simple as possible.
So create three files:
ca.cnf:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
# You can remove this if you don't use non-ASCII symbols
utf8 = yes
[req_distinguished_name]
C = RU
CN = "Savely Krasovsky's CA"
[v3_req]
keyUsage = digitalSignature
tls.cnf:
[req]
distinguished_name = req_distinguished_name
prompt = no
utf8 = yes
[req_distinguished_name]
C = RU
CN = "Savely Krasovsky's LAN"
tls.ext:
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = home.local
DNS.2 = *.home.local
Now execute this:
# Generate CA cert
openssl ecparam -name prime256v1 -genkey -out ca.key
openssl req -new -key ca.key -config ca.cnf -out ca.csr
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
# Generate TLS cert
openssl ecparam -name prime256v1 -genkey -out tls.key
openssl req -new -key tls.key -config tls.cnf -out tls.csr
openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key -out tls.crt -days 365 -extfile tls.ext
Of course, you can create not only TLS certs, this is just the simplest case.
Play with the tls.ext
(especially keyUsage
and extendedKeyUsage
parameters)
file to issue another certificate.
For example this is mTLS compatible client cert:
personal.cnf:
[req]
distinguished_name = req_distinguished_name
prompt = no
utf8 = yes
[req_distinguished_name]
C = RU
CN = "Savely Krasovsky's LAN"
personal.ext:
keyUsage = critical,digitalSignature
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
Generation:
openssl ecparam -name prime256v1 -genkey -out personal.key
openssl req -new -key personal.key -config personal.cnf -out personal.csr
openssl x509 -req -in personal.csr -CA ca.crt -CAkey ca.key -out personal.crt -days 365 -extfile personal.ext
# Convert to convenient PKCS#12 certificate there key and cert itself are combined
openssl pkcs12 -export -out personal.pfx -inkey personal.key -in personal.crt