openssl allows to generate self-signed certificate by a single command (-newkey
instructs to generate a private key and -x509 instructs to issue a self-signed
certificate instead of a signing request):
openssl req -x509 -newkey rsa:4096 \ -keyout my.key -passout pass:123456 -out my.crt \ -days 365 \ -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \ -addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \ -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth
You can generate a private key and construct a self-signing certificate in separate steps:
openssl genrsa -out my.key -passout pass:123456 2048 openssl req -x509 \ -key my.key -passin pass:123456 -out my.csr \ -days 3650 \ -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \ -addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \ -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth
Review the resulting certificate:
openssl x509 -text -noout -in my.crt
With openssl we can add an extra step:
-
generate private key (
openssl genrsa) -
generate CSR (
openssl req -new) -
sign CSR with private key (
openssl x509)
The problem here is that openssl x509 doesn't support -addext like option so we
need to craft a config file... Of cause with Bash syntax <(...) we can add required
extensions:
openssl genrsa -out my.key -passout pass:123456 2048
openssl req -new \
-key my.key -passin pass:123456 -out my.csr \
-subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal
openssl x509 -req \
-in my.csr -signkey my.key -passin pass:123456 -out my.crt \
-days 3650 -CAcreateserial \
-extensions v3_ca \
-extfile <( \
echo "[v3_ca]"; \
echo "extendedKeyUsage=serverAuth"; \
echo "subjectAltName=DNS:localhost,DNS:web.internal,email:me@mail.internal")Java keytool creates PKCS#12 store:
keytool -genkeypair -keystore my.p12 -alias master \ -storetype pkcs12 -keyalg RSA -keysize 2048 -validity 3650 \ -storepass 123456 \ -dname "CN=localhost,O=home,C=US" \ -ext 'san=dns:localhost,dns:web.internal,email:me@mail.internal'
To export the self-signed certificate:
keytool -exportcert -keystore my.p12 -file my.crt \ -alias master -rfc -storepass 123456
Review the resulting certificate:
keytool -printcert -file my.crt
- https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/64733092#64733092
-
How to create a self-signed certificate with OpenSSL.
Use a private key and corresponding self-signed certificate to launch a server:
openssl s_server -accept 8000 -www -key my.key -cert my.crt
Clients should use self-signed certificate for verification:
echo | openssl s_client -servername localhost -connect localhost:8000 -CAfile my.crt curl -v --cacert my.crt https://localhost:8000
There is no certificate chain so the check is trivial for self-signed certificates...
