OpenSSL Certificate Command

Pre-Requist

Create certificate extensions files

• ca.conf

• server.conf

• client.conf

ca.conf

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = KR
O = ksmartech.com
OU = rnd
CN = caroot

[extensions]
basicConstraints = critical, @basic_constraints
keyUsage = keyEncipherment, digitalSignature, nonRepudiation, keyCertSign

subjectKeyIdentifier = hash
subjectAltName = @alt_names

[basic_constraints]
CA = true
pathlen = 1

[alt_names]
DNS.1 = localhost

server.conf

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = KR
O = ksmartech.com
OU = rnd
CN = server

[extensions]
basicConstraints = critical, @basic_constraints
keyUsage = keyEncipherment, digitalSignature, nonRepudiation
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
subjectAltName = @alt_names

[basic_constraints]
CA = false

[alt_names]
DNS.1 = localhost

client.conf

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = KR
O = ksmartech.com
OU = rnd
CN = client

[extensions]
basicConstraints = critical, @basic_constraints
keyUsage = keyEncipherment, digitalSignature, nonRepudiation
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash

[basic_constraints]
CA = false

Generate

Generate CA Private Key and Certificate

openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -sha256 -keyout ca.key -out ca.crt -config ca.conf -extensions extensions

Generate Server & Client CSR

# generate private key and csr
openssl req -newkey rsa:2048 -nodes -sha256 -keyout server.key -out server.csr -config server.conf -extensions extensions
# generate csr with existing private key
openssl req -out server.csr -key server.key -new -config server.conf -extensions extensions
 

# generate private key and csr
openssl req -newkey rsa:2048 -nodes -sha256 -keyout client.key -out client.csr -config client.conf -extensions extensions
# generate csr with existing private key
openssl req -out client.csr -key client.key -new -config client.conf -extensions extensions

Verify Generated CSR & Private Key

openssl rsa -check -in server.key
openssl req -text -noout -verify -in server.csr
 
openssl rsa -check -in client.key
openssl req -text -noout -verify -in client.csr

Generate Certificate

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -out server.crt -days 365 -extfile server.conf -extensions extensions
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -out client.crt -days 365 -extfile client.conf -extensions extensions

Verify Generated Certificate

openssl x509 -noout -text -in server.crt
openssl x509 -noout -text -in client.crt

References

x509v3_config - OpenSSL Documentation

How to self sign or certify a (CSR) with SAN X.509 V3 extension using IBM PASE OpenSSL.

Frequently used OpenSSL Commands