1. Home
  2. Notes
  3. Creating certificates with OpenSSL

Creating certificates with OpenSSL

Some steps to create certificates using OpenSSL - self-signed or singned by a CA.

Creating the conf File used for creating the csr

srv1_tstlb_cert.conf:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CA
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Ontario
localityName = Locality Name (eg, city)
localityName_default = Toronto
organizationName = Organization name
organizationName_default = tstlb
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = DesignatedOU
commonName_default = srv1.tstlb.dom
commonName = srv1.tstlb.dom
commonName_max = 64
emailAddress = admins@tstslb.dom
emailAddress_max = 40

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1   = srv1.tstlb.dom
DNS.2   = somecname.tstlb.dom
DNS.3   = someothercname.tstlb.dom
DNS.4   = srv2.tstlb.dom
IP.1   = 10.10.10.10

It can have multiple alternate names

Creating the key

openssl genrsa -out srv1_tstlb_cert.key 2048

Creating the csr

openssl req -new -out srv1_tstlb_cert.csr -key srv1_tstlb_cert.key -config srv1_tstlb_cert.conf

using sha2

openssl genrsa -out srv1_tstlb_cert.key 2048
openssl req -new -out srv1_tstlb_cert.csr -key srv1_tstlb_cert.key -config srv1_tstlb_cert.conf -sha256

Creating the certificate

Three options for getting the certificate:

  1. Creating a self-signed certificate

    openssl x509 -signkey srv1_tstlb_cert.key -in srv1_tstlb_cert.csr -req -days 365 -out srv1_tstlb_cert.crt

  2. Using an external CA (private or public)

    Taking the CSR to the CA and getting the certificate

  3. Creating e new CA locally and the use it to sign the certificate

    Examples here, here

    Then signing the certificate

Creating a pfx for this certificate

When using a p7b from a windows ca

openssl pkcs7 -inform DER -in srv1_tstlb_cert_chain.p7b -text -print_certs -out intermediateCert.pem

Then

With p12 extension

openssl pkcs12 -export -in intermediateCert.pem -inkey srv1_tstlb_cert.key -out srv1_tstlb_cert.p12
Enter Export Password:
Verifying - Enter Export Password:

or with pfx extension

openssl pkcs12 -export -in intermediateCert.pem -inkey srv1_tstlb_cert.key -out srv1_tstlb_cert.pfx
Enter Export Password:
Verifying - Enter Export Password: