mirror of
https://codeberg.org/hyperreal/techne
synced 2024-11-01 14:23:06 +01:00
3.4 KiB
3.4 KiB
OpenSSL
Certificate and CA for HTTPS
Self-signed certificate
To generate a self-signed certificate:
openssl req \
-newkey rsa:4096 \
-x509 \
-sha256 \
-days 3650 \
-noenc \
-out coffeeNET.crt \
-keyout coffeeNET.key \
-subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/CN=lab.home.arpa"
What these options mean:
Option | Description |
---|---|
-newkey rsa:4096 |
Generates a new certificate request and a 4096-bit RSA key. The default is 2048 is you don't specify. |
-x509 |
Specifies that you want to create a self-signed certificate rather than a certificate signing request. |
-sha256 |
Uses the 256-bit SHA (Secure Hash Algorithm) for the certificate. |
-days 3650 |
Sets the validity of the certificate to 3650 days (10 years), but you can adjust this to any positive integer. |
-noenc |
Creates the certificate without a passphrase. Stands for "no encryption". |
-out coffeeNET.crt |
Outputs the certificate to a file named coffeeNET.crt . |
-keyout coffeeNET.key |
Outputs the private key to a file named coffeeNET.key . |
-subj |
Provides subject information about the certificate. See below. |
Subject information:
Option | Description |
---|---|
/C=US |
Country code |
/ST=Illinois |
State |
/L=Chicago |
Locality/city |
/O=coffeeNET |
Organization name |
/OU=Homelab |
Organizational unit |
/CN=lab.home.arpa |
Common name, which is often the fully-qualified domain name for the certificate. |
Certificate Authority
Create a private key for the CA. This key should be encrypted with AES for security reasons, and you should use a strong password of 20+ characters.
openssl req \
-x509 \
-new \
-key coffeeNET-RootCA.key \
-sha256 \
-days 1826 \
-out coffeeNET-RootCA.crt \
-subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/CN=lab.home.arpa"
Add the CA certificate to the trusted root certificates on clients:
sudo cp coffeeNET-RootCA.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
These steps establish your own CA, after which you can sign certificates with it to be recognized as valid within your network.