2 min read
Create a certificate authority and sign server certificates without prompting using openssl
Most of the times people want to get a certificate for the hostname localhost, let’s encrypt wrote a nice post about this, but sometimes people want a certificate for any hostname. And further, signed by a custom CA and if possible should the key material be generated without user interaction. In this post I have covered the less likely case.
Below you’ll find a list of bash commands. You can copy and paste all of them into a bash script or run each command at a time in the shell.
Set environment variables for key material configuration.
CA_CERT_PASSWORD=password
SERVER_CERT_PASSWORD=password
SERVER_CERT_CN=localhost
SERVER_ALT_NAME=localhostCreate the CA key.
openssl genrsa -des3 -passout pass:$CA_CERT_PASSWORD -out ca_key.pem 4096Create the CA certificate.
openssl req -x509 -new -nodes -key ca_key.pem -passin pass:$CA_CERT_PASSWORD -sha256 -days 1825 -out ca_cert.pem \
-subj "/C=CH/ST=Bern/L=Bern/O=AdNovum AG/CN=ca"Create the server key.
openssl genrsa -des3 -passout pass:$SERVER_CERT_PASSWORD -out ${SERVER_CERT_CN}_key.pem 2048Create the server certificate signing request.
openssl req -new -key ${SERVER_CERT_CN}_key.pem -passin pass:$SERVER_CERT_PASSWORD -out ${SERVER_CERT_CN}.csr \
-subj "/CN=$SERVER_CERT_CN"Create server certificate extension configuration.
cat > ./${SERVER_CERT_CN}.cnf <<EOT
authorityKeyIdentifier=keyid,issuer
keyUsage=digitalSignature
extendedKeyUsage=serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = $SERVER_ALT_NAME
EOTSign the server certificate signing request.
openssl x509 -req -in ${SERVER_CERT_CN}.csr -CA ca_cert.pem -CAkey ca_key.pem -passin pass:$CA_CERT_PASSWORD -CAcreateserial \
-out ${SERVER_CERT_CN}_cert.pem -days 1825 -sha256 -extfile ${SERVER_CERT_CN}.cnfTo create additional server certificates use the snippet below.
CA_CERT_PASSWORD=password
SERVER_CERT_PASSWORD=password
SERVER_CERT_CN=hostname
SERVER_ALT_NAME=hostname
openssl genrsa -des3 -passout pass:$SERVER_CERT_PASSWORD -out ${SERVER_CERT_CN}_key.pem 2048
openssl req -new -key ${SERVER_CERT_CN}_key.pem -passin pass:$SERVER_CERT_PASSWORD -out ${SERVER_CERT_CN}.csr \
-subj "/CN=$SERVER_CERT_CN"
cat > ./${SERVER_CERT_CN}.cnf <<EOT
authorityKeyIdentifier=keyid,issuer
keyUsage=digitalSignature
extendedKeyUsage=serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = $SERVER_ALT_NAME
EOT
openssl x509 -req -in ${SERVER_CERT_CN}.csr -CA ca_cert.pem -CAkey ca_key.pem -passin pass:$CA_CERT_PASSWORD -CAcreateserial \
-out ${SERVER_CERT_CN}_cert.pem -days 1825 -sha256 -extfile ${SERVER_CERT_CN}.cnfTags: keytool , openssl , certificate
Improve this page
Show statistic for this page