InferenciumThis documentation contains the complete set of commands to create a new OpenSSL self-signed
certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included
in a certificate by adding each domain as a comma-delimited string. Each key can be encrypted or
unencrypted, with multiple encryption options; AES (aes128 or aes256)
is recommended. Optional verification can also be performed between multiple levels of
certificates to ensure the chain of trust is valid.
This documentation is also available in portable AsciiDoc format in my
documentation source code repository.
Table of Contents
Convert Certificate to PEM Format
openssl x509 -in <CA certificate name>.pem -out <CA certificate name>.pem -outform PEMVerify Chain of Trust (CA to Intermediate)
openssl verify -CAfile <CA certificate name>.pem <intermediate CA certificate name>.pemCreate Server Key
openssl genrsa <encryption type> -out <server key name>.pem <key size>Verify Server Key
openssl rsa -noout -text -in <server key name>.pemCreate Server Certificate Signing Request
openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>" -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key <server key name>.pem -out <server certificate signing request name>.pemCreate Server Certificate
openssl x509 -sha256 -req -days <days of validity> -in <server certificate signing request name>.pem -CA <intermediate CA certificate name>.pem -CAkey <intermediate CA key name>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <server certificate name>.pemVerify Server Certificate
openssl x509 -noout -text -in <server certificate name>.pemVerify Chain of Trust (Intermediate to Server)
openssl verify -CAfile <intermediate CA certificate name>.pem <server certificate>.pem