techne/openssl.org
2024-09-20 21:17:26 -05:00

3.4 KiB

OpenSSL

Certificate and CA for HTTPS

Self-signed certificate

To generate a self-signed certificate:

openssl req \
        -newkey rsa:4096 \
        -x509 \
        -sha256 \
        -days 3650 \
        -noenc \
        -out coffeeNET.crt \
        -keyout coffeeNET.key \
        -subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/CN=lab.home.arpa"

What these options mean:

Option Description
-newkey rsa:4096 Generates a new certificate request and a 4096-bit RSA key. The default is 2048 is you don't specify.
-x509 Specifies that you want to create a self-signed certificate rather than a certificate signing request.
-sha256 Uses the 256-bit SHA (Secure Hash Algorithm) for the certificate.
-days 3650 Sets the validity of the certificate to 3650 days (10 years), but you can adjust this to any positive integer.
-noenc Creates the certificate without a passphrase. Stands for "no encryption".
-out coffeeNET.crt Outputs the certificate to a file named coffeeNET.crt.
-keyout coffeeNET.key Outputs the private key to a file named coffeeNET.key.
-subj Provides subject information about the certificate. See below.

Subject information:

Option Description
/C=US Country code
/ST=Illinois State
/L=Chicago Locality/city
/O=coffeeNET Organization name
/OU=Homelab Organizational unit
/CN=lab.home.arpa Common name, which is often the fully-qualified domain name for the certificate.

Certificate Authority

Create a private key for the CA. This key should be encrypted with AES for security reasons, and you should use a strong password of 20+ characters.

openssl req \
        -x509 \
        -new \
        -key coffeeNET-RootCA.key \
        -sha256 \
        -days 1826 \
        -out coffeeNET-RootCA.crt \
        -subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/CN=lab.home.arpa"

Add the CA certificate to the trusted root certificates on clients:

sudo cp coffeeNET-RootCA.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

These steps establish your own CA, after which you can sign certificates with it to be recognized as valid within your network.