This documentation contains the complete set of commands to create a new OpenSSL
- self-signed certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple
- SANs can be included in a certificate by adding each domain as a comma-delimited string.
- Each key can be encrypted or unencrypted, with multiple encryption options; AES
- (aes128 or aes256) is recommended. Optional verification can
- also be performed between multiple levels of certificates to ensure the chain of trust
- is valid.
This documentation is also available in portable AsciiDoc format in my - documentation source code repository.
-openssl x509 -in <CA certificate name>.pem -out <CA certificate name>.pem -outform PEM
openssl verify -CAfile <CA certificate name>.pem <intermediate CA certificate name>.pem
openssl genrsa <encryption type> -out <server key name>.pem <key size>
openssl rsa -noout -text -in <server key name>.pem
openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>" -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key <server key name>.pem -out <server certificate signing request name>.pem
openssl x509 -sha256 -req -days <days of validity> -in <server certificate signing request name>.pem -CA <intermediate CA certificate name>.pem -CAkey <intermediate CA key name>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <server certificate name>.pem
openssl x509 -noout -text -in <server certificate name>.pem
openssl verify -CAfile <intermediate CA certificate name>.pem <server certificate>.pem
This documentation contains the complete set of commands to create a new OpenSSL self-signed
+ certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included in a
+ certificate by adding each domain as a comma-delimited string. Each key can be encrypted or unencrypted,
+ with multiple encryption options; AES (aes128 or aes256) is recommended.
+ Optional verification can also be performed between multiple levels of certificates to ensure the chain
+ of trust is valid.
This documentation is also available in portable AsciiDoc format in my + documentation source code repository.
+openssl x509 -in <CA certificate name>.pem -out
+ <CA certificate name>.pem -outform PEM
openssl verify -CAfile <CA certificate name>.pem
+ <intermediate CA certificate name>.pem
openssl genrsa <encryption type> -out
+ <server key name>.pem <key size>
openssl rsa -noout -text -in <server key name>.pem
openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>"
+ -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key
+ <server key name>.pem -out
+ <server certificate signing request name>.pem
openssl x509 -sha256 -req -days <days of validity> -in
+ <server certificate signing request name>.pem -CA
+ <intermediate CA certificate name>.pem -CAkey
+ <intermediate CA key name>.pem -extensions SAN -extfile <(cat
+ /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out
+ <server certificate name>.pem
openssl x509 -noout -text -in <server certificate name>.pem
openssl verify -CAfile <intermediate CA certificate name>.pem
+ <server certificate>.pem