Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ### Create openssl key and cert :
- ```bash
- openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
- ```
- #### To convert these into .key and .crt format:
- ```bash
- openssl rsa -outform der -in key.pem -out server.key
- ```
- ```bash
- openssl x509 -outform der -in cert.pem -out server.crt
- ```
- ---
- ### To create rootCA:
- ```bash
- openssl genrsa -des3 -out rootCA.key 4096
- ```
- ```bash
- openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
- ```
- ### OR
- ```bash
- openssl genrsa -out "root-ca.key" 4096
- openssl req \
- -new -key "root-ca.key" \
- -out "root-ca.csr" -sha256 \
- -subj '/C=IN/ST=GA/L=PO/O=TEST/CN=Example CA'
- ```
- Create a file root-ca.cnf and paste the following contents into it. This constrains the root CA to signing leaf certificates and not intermediate CAs
- ```
- [root_ca]
- basicConstraints = critical,CA:TRUE,pathlen:1
- keyUsage = critical, nonRepudiation, cRLSign, keyCertSign
- subjectKeyIdentifier=hash
- ```
- ```bash
- openssl x509 -req -days 3650 -in "root-ca.csr" \
- -signkey "root-ca.key" -sha256 -out "root-ca.crt" \
- -extfile "root-ca.cnf" -extensions \
- root_ca
- openssl genrsa -out "site.key" 4096
- openssl req -new -key "site.key" -out "site.csr" -sha256 \
- -subj '/C=IN/ST=GA/L=PO/O=TEST/CN=localhost'
- openssl x509 -req -days 750 -in "site.csr" -sha256 \
- -CA "root-ca.crt" -CAkey "root-ca.key" -CAcreateserial \
- -out "site.crt" -extfile "site.cnf" -extensions server
- ```
Add Comment
Please, Sign In to add comment