Editing Creating a Self-Signed Certificate (section)

= Creating Certificates =

== Standard Certificates ==

You can do that in one command:

 openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

The '''-nodes''' option disables protecting your cert with a passphrase, otherwise it will prompt you for "at least a 4 character" password. The days parameter (365) you can replace with any number to affect expiration date. It will then prompt you for things like "Country Name" but you can just hit enter and accept defaults.
Self-signed certs are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a CA

Add '''-subj '/CN=localhost'''' to suppress questions about the contents of the certificate (replace localhost with your desired domain)

== Creating a Cert with a SAN ==


Create a file named ''san.cnf'' with the following information:
<pre>[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = www.company.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.company.net
DNS.2 = company.com
DNS.3 = company.net</pre>

Note: alt_names section is the one you have to change for additional DNS.  You can also use ''IP.1'' entries to insert IP addresses as SANs

Save the file and execute the following OpenSSL command, which will generate PEM and KEY file

 openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout sancert.key -out sancert.pem -config san.cnf -extensions 'v3_req'

== Converting .crt to .pem ==

In most cases, a simple copy or rename will suffice, but if necessary, use openssl to convert the certificate:

 openssl x509 -in sancert.crt -out sancert.pem -outform PEM

== Reading/Verifying a certificate ==

 openssl x509 -in cert.pem -text -noout