There are endless guides on the internet that uses endless methods to generate certificates and CA but I have not found one that is simple to use to create a custom CA and CA signed certificate with SAN (Subject Alternative Name) to perform some testing.
So I created simple set of steps:
Create a ca.key
❯ openssl genrsa -out ca.key 2048 Generating RSA private key, 2048 bit long modulus ........................................................................................+++ ................+++ e is 65537 (0x10001)
❯ ls ca.key ❯ cat ca.key -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEArTBn8M9NBHmmVKOCcKl75EYZqv2LvNvNQjSJ0YDHLrXt2CpL x3N7IDgriLU4TbFVb13yQCPXESQOOBuzNJMqG8Ca5K56RYNBY6QP5k8z195385Qd QJODgut3A+ACjkWB9iVMHuN+KVXyEcPhl4/UFvYW6+ybvSSmUgfZJ/u3fCh6YaWN 15nVWRI40yDAgvM8EKuPew734ENF1GdSVF+S+m2QhDKR2gn8NkpdvYjKDtKFN2Rh VjREEb3TuQqttZNykkCira93dr3/ILdTGVxOIkXhdESFdiRMZ9dXOUqozQSALGfw cXKY2MlrkN+20F/ojoh3IqZs2gJS05udJOaarQIDAQABAoIBADdnBckmN6gX1lq7 F848mZJzzmBBzcLzuZzVO8VWYeGSd2ywUx+R1LCA54RLHKDV+tOuhQF5taIZG6dd TR2jelP4cFR5cEnubCuY3zE44wfKdiroldcDmY13D9KghZDHsYRxeAFlmwVUJiUC uZcHfrx9quV8AnImWEJjmldNEexYa94tLM+SahbNEG3H6s2hQE+GvshoVp+IoPPg sIVZo7AyEj/Z6sdY67YX92aNHeFr1TvSO/knxAryBW1knui8ZlmpFIroEZ8eR/Cn 1SYIWaJZpzz5pmbKIOWHc2uM7rUJzW3Rm8hFzjOCiUgmmYjQROVvLKFMTtiV6mcl IATnsqECgYEA0pR5fjqdf9NG3C+k8bh/PxKX2MzBmaFMjMdini081l9oN6D1Hjiz Pw3NZ0iVb+pQceeVLss8v/mX/zhkQ0P+rbiz4Lh191few5/uAxhqVJUVbMPjCYMz qxTTK3pcpui4PPM8pfFOBFbuXc4QqUf5HYW6HUq0eWWy86U9cB0W0wUCgYEA0otU r8LlxclOYZkcxqbYe+0/8xxCXaYw5slTbyxlh40wX2vgjmSkeOli8peGfMD07Cfm DwErvUG5kHiQ30jkEKREy/iQGvz89w/pig48mWg5PYynPXLXh06j/J/MzZGZlorb 7O4xIIZjnCe+tNctDTiALSupzsMY4yFuHwlaiYkCgYAnS/nYKowVvJGuqV14llt4 o7mehadjSgyFAPhQWFTQFIHYT7suZppcm/DG426vseRNPVBDqT2u/Z71y8o6G0g9 lwhKWWH6RHWXwBKklTvSiPe0kmGd9tP/iyVVKcJ8i1VGWoXo2b0bZjWZX8kQLhQ5 BCmVKcnAFdBtU1rBv0vxGQKBgQChC2Q2oLyCgk2LB8PkC2ERwdKlkVsOKP3EugAw zGPIwG1cv7ZfFIpd1h8ScmazbCCrtoUZuwqK1AgtgptFv4p7VDsvTaxkiFiyXiCD sgoWSYtnEfwmW36Sh8uVg2HzZ8h0RzibzUIUn9b3bctIpkJWl34rjvdvKPoTWdHS uaPgCQKBgBWF/01IqxjsVkuo36cel4LSDRObhELcLuBcs9ZdtY+fyEmtrQv+CQzy EBkPJumIupjnWmwv+OPYNF+fHTmL2PeL2AmuyOpoc09Bpjpf0V0NrqMjIjGdvSlL cUTGuHhPB+lTxKbE4SHERMMFK1ULfCWujS/8P/EMm5AT1zyW0ToK -----END RSA PRIVATE KEY-----
Create a ca.crt
❯ openssl req -x509 -sha256 -new -nodes -key ca.key -days 3650 -out ca.crt
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:US State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: Common Name (eg, fully qualified host name) []: Email Address []: ❯ ls ca.crt ca.key ❯ cat ca.crt -----BEGIN CERTIFICATE----- MIICljCCAX4CCQC/ahFpFWWN5zANBgkqhkiG9w0BAQsFADANMQswCQYDVQQGEwJV UzAeFw0yMjAyMDIxNjE1MzFaFw0zMjAxMzExNjE1MzFaMA0xCzAJBgNVBAYTAlVT MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArTBn8M9NBHmmVKOCcKl7 5EYZqv2LvNvNQjSJ0YDHLrXt2CpLx3N7IDgriLU4TbFVb13yQCPXESQOOBuzNJMq G8Ca5K56RYNBY6QP5k8z195385QdQJODgut3A+ACjkWB9iVMHuN+KVXyEcPhl4/U FvYW6+ybvSSmUgfZJ/u3fCh6YaWN15nVWRI40yDAgvM8EKuPew734ENF1GdSVF+S +m2QhDKR2gn8NkpdvYjKDtKFN2RhVjREEb3TuQqttZNykkCira93dr3/ILdTGVxO IkXhdESFdiRMZ9dXOUqozQSALGfwcXKY2MlrkN+20F/ojoh3IqZs2gJS05udJOaa rQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQADw0wyBu/tALA3jVAOsl948/3YX4cK cu3hxxyFOiZoZRrPD61asQt7nbpZhEqAim0QzHElafPU18u/XiK4x1MDcFVPx2Hi A9tTIYtpei1CtQ3Jsrnxdz//84TDzaX/o+JDS/PDLKNTixy8jlt8WOXzt3TYOFI4 EkDaX5jS/MzONLh4oqeogXQ0EArJxL6hJVPFzlz6SgpI8dMR9vz+9bA+4XVT+H/u ORx1XBhrnTdVJKSeLsa/3FF+gRQmnwjpHnF4HpVkLWV5lOcHpdac+STM0IPWFxQT aIjrLBG2Qjb6LCV10kvrFxpilahg5CMx52TNP89kOXD6tTzBSBldLhT2 -----END CERTIFICATE-----
view the details of the ca.crt
❯ openssl x509 -in ca.crt -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 13792855951803780583 (0xbf6a116915658de7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US
Validity
Not Before: Feb 2 16:15:31 2022 GMT
Not After : Jan 31 16:15:31 2032 GMT
Subject: C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ad:30:67:f0:cf:4d:04:79:a6:54:a3:82:70:a9:
7b:e4:46:19:aa:fd:8b:bc:db:cd:42:34:89:d1:80:
c7:2e:b5:ed:d8:2a:4b:c7:73:7b:20:38:2b:88:b5:
38:4d:b1:55:6f:5d:f2:40:23:d7:11:24:0e:38:1b:
b3:34:93:2a:1b:c0:9a:e4:ae:7a:45:83:41:63:a4:
0f:e6:4f:33:d7:de:77:f3:94:1d:40:93:83:82:eb:
77:03:e0:02:8e:45:81:f6:25:4c:1e:e3:7e:29:55:
f2:11:c3:e1:97:8f:d4:16:f6:16:eb:ec:9b:bd:24:
a6:52:07:d9:27:fb:b7:7c:28:7a:61:a5:8d:d7:99:
d5:59:12:38:d3:20:c0:82:f3:3c:10:ab:8f:7b:0e:
f7:e0:43:45:d4:67:52:54:5f:92:fa:6d:90:84:32:
91:da:09:fc:36:4a:5d:bd:88:ca:0e:d2:85:37:64:
61:56:34:44:11:bd:d3:b9:0a:ad:b5:93:72:92:40:
a2:ad:af:77:76:bd:ff:20:b7:53:19:5c:4e:22:45:
e1:74:44:85:76:24:4c:67:d7:57:39:4a:a8:cd:04:
80:2c:67:f0:71:72:98:d8:c9:6b:90:df:b6:d0:5f:
e8:8e:88:77:22:a6:6c:da:02:52:d3:9b:9d:24:e6:
9a:ad
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
03:c3:4c:32:06:ef:ed:00:b0:37:8d:50:0e:b2:5f:78:f3:fd:
d8:5f:87:0a:72:ed:e1:c7:1c:85:3a:26:68:65:1a:cf:0f:ad:
5a:b1:0b:7b:9d:ba:59:84:4a:80:8a:6d:10:cc:71:25:69:f3:
d4:d7:cb:bf:5e:22:b8:c7:53:03:70:55:4f:c7:61:e2:03:db:
53:21:8b:69:7a:2d:42:b5:0d:c9:b2:b9:f1:77:3f:ff:f3:84:
c3:cd:a5:ff:a3:e2:43:4b:f3:c3:2c:a3:53:8b:1c:bc:8e:5b:
7c:58:e5:f3:b7:74:d8:38:52:38:12:40:da:5f:98:d2:fc:cc:
ce:34:b8:78:a2:a7:a8:81:74:34:10:0a:c9:c4:be:a1:25:53:
c5:ce:5c:fa:4a:0a:48:f1:d3:11:f6:fc:fe:f5:b0:3e:e1:75:
53:f8:7f:ee:39:1c:75:5c:18:6b:9d:37:55:24:a4:9e:2e:c6:
bf:dc:51:7e:81:14:26:9f:08:e9:1e:71:78:1e:95:64:2d:65:
79:94:e7:07:a5:d6:9c:f9:24:cc:d0:83:d6:17:14:13:68:88:
eb:2c:11:b6:42:36:fa:2c:25:75:d2:4b:eb:17:1a:62:95:a8:
60:e4:23:31:e7:64:cd:3f:cf:64:39:70:fa:b5:3c:c1:48:19:
5d:2e:14:f6
-----BEGIN CERTIFICATE-----
MIICljCCAX4CCQC/ahFpFWWN5zANBgkqhkiG9w0BAQsFADANMQswCQYDVQQGEwJV
UzAeFw0yMjAyMDIxNjE1MzFaFw0zMjAxMzExNjE1MzFaMA0xCzAJBgNVBAYTAlVT
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArTBn8M9NBHmmVKOCcKl7
5EYZqv2LvNvNQjSJ0YDHLrXt2CpLx3N7IDgriLU4TbFVb13yQCPXESQOOBuzNJMq
G8Ca5K56RYNBY6QP5k8z195385QdQJODgut3A+ACjkWB9iVMHuN+KVXyEcPhl4/U
FvYW6+ybvSSmUgfZJ/u3fCh6YaWN15nVWRI40yDAgvM8EKuPew734ENF1GdSVF+S
+m2QhDKR2gn8NkpdvYjKDtKFN2RhVjREEb3TuQqttZNykkCira93dr3/ILdTGVxO
IkXhdESFdiRMZ9dXOUqozQSALGfwcXKY2MlrkN+20F/ojoh3IqZs2gJS05udJOaa
rQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQADw0wyBu/tALA3jVAOsl948/3YX4cK
cu3hxxyFOiZoZRrPD61asQt7nbpZhEqAim0QzHElafPU18u/XiK4x1MDcFVPx2Hi
A9tTIYtpei1CtQ3Jsrnxdz//84TDzaX/o+JDS/PDLKNTixy8jlt8WOXzt3TYOFI4
EkDaX5jS/MzONLh4oqeogXQ0EArJxL6hJVPFzlz6SgpI8dMR9vz+9bA+4XVT+H/u
ORx1XBhrnTdVJKSeLsa/3FF+gRQmnwjpHnF4HpVkLWV5lOcHpdac+STM0IPWFxQT
aIjrLBG2Qjb6LCV10kvrFxpilahg5CMx52TNP89kOXD6tTzBSBldLhT2
-----END CERTIFICATE-----
Create your certificate key private.key
❯ openssl genrsa -out private.key 2048 Generating RSA private key, 2048 bit long modulus ........+++ .............................................+++ e is 65537 (0x10001)
❯ ls ca.crt ca.key private.key ❯ cat private.key -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA3Jv4C8dg1NV7kLvOVaV1RTOC1s/eUklHxwUUafE7I34clIis geEXu7LOov+pL4WhkZEq9n1G0xb7lTJlYVS1LLf93/OylljypfO7FWi4WwYNtH7p /Atv3DfgckT1Mxk/KUPp63J2DP4hrPcaNuCHpOu0c91ogZI9P1fGmFu7zLw61CIx zrPhzzZnyQ5sPzd0X9r2OB/G7wp/1bbPwoaHs92RI0DIrDUygIzvo53EANNjfz9P FpKF0CKYxHchoJZ0OK3WK4pRzbhET9uKZghEWOQj4iye3dCR/SsWFzVsgAXRZ3KP 365ke6YIAqRdYi8OZ39CvhTg27inApBRSazzwQIDAQABAoIBAA8XMDGGEu6cJ9av sh6TseDo9CNDlt6kGp/XjhztHnGAF+5lJv+/aQMy6QWnXWhdyL6PYpP339ditBTx nJO62qXTdC9UmTvFm9uUP5DoV+wKDvfw0oqmMaGrxNOsOeWj7XkiJycu7jpXS/Br +sQUOdMjOHXQiGyMl1n05CXZ6I/Jk9kCKMwJkuA6jVeLipo2oy6xaWnTJdigl4C5 ZUDjEa/6OeGDJYwfVF+MqDoKoaX4nB7TS2pNGAXZmo7o9wFxIkHZy9ISBJh5R0Ap t4DeUeQDPaXz2J/zgz6b3lOPG5oj40tPTYbR6IL1PzJz9XIlZErNrUMV46pcAmYt xj/cvU0CgYEA/uCvxcszYZhwF20vJqsnSAm/HYRlh+NuSPnxM7v1+UOceR4bfdP3 sK1Qt3IJyUTnwvA+ODPgflfMaLHU9g4O+x95G8pjt/noSnkpn2/mielwzD7VsjM6 4ahUN0f0r7CS7lcksC08LCxNqXbrcswADzdPvSZ1BrViupH/adV57AcCgYEA3ZSn I/5XY/VdjSt0P9Mma9/7hOqEEqF8HTNRsDl7y2xu5lqhNLrWoic8AP2e9hL9fuYt 5xyvRQg0W8kcJoYhKKORQZxgo2SUbnpqcR+2yPpg6rp+6/4e9QV1HGarZlb8tnQl ZV84TATHxYXGSNxCnaRz0LLMLfcSU1TcQfxHv/cCgYBqN9kI5RYUpiKQoL/1rX5B V05+Tp7BctaTMxaCKOLpbnPXReTPG3ct+gyZZr0NU9oCM3y6j2QPQye8ud+2a0Vz AjrGiiHkmhFkd/oQp+G7t716YPVNvmvbfvsZzrL6ROv2x/pSMYfSIOR8q0KUJNAh hzuD6HL8yLrMZeu7f2vAIQKBgACsPeGvGQbVrOYL1ruG4Zv8PyBFMgd4dA8Go93c HtMcTi3m4oxtcM9nPRhnrL7kid6DxmnoPWQBRV9t+eboC1u7O2quleCJIqY/OumD BiQQFpE/5bjDucZWsOdYLHcQFo5bRe3L3zjj3tNrt5FrEcy2vh9JG7OcB3M3U7/j izg7AoGBAJZd+7dHAbxjt/QWuen1f/E5iL2ltHzThD2yTgGTR+S0G9etW2WOYlb6 +hpV5nOvwW22fZ1SMndHHJxQZhEmOrRQcHhMGTBaP7Lf1mkObNWgr2GHGhTRmR0+ 4MqJ/o4tn13zBraN+z6/odcAugeZqWma8HxDFfGbZos11tA+Oy48 -----END RSA PRIVATE KEY-----
Create a CSR public.csr
❯ openssl req -new -key private.key -out public.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:US State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: Common Name (eg, fully qualified host name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ❯ ❯ ls ca.crt ca.key private.key public.csr ❯ cat public.csr -----BEGIN CERTIFICATE REQUEST----- MIICUjCCAToCAQAwDTELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDcm/gLx2DU1XuQu85VpXVFM4LWz95SSUfHBRRp8TsjfhyUiKyB 4Re7ss6i/6kvhaGRkSr2fUbTFvuVMmVhVLUst/3f87KWWPKl87sVaLhbBg20fun8 C2/cN+ByRPUzGT8pQ+nrcnYM/iGs9xo24Iek67Rz3WiBkj0/V8aYW7vMvDrUIjHO s+HPNmfJDmw/N3Rf2vY4H8bvCn/Vts/Choez3ZEjQMisNTKAjO+jncQA02N/P08W koXQIpjEdyGglnQ4rdYrilHNuERP24pmCERY5CPiLJ7d0JH9KxYXNWyABdFnco/f rmR7pggCpF1iLw5nf0K+FODbuKcCkFFJrPPBAgMBAAGgADANBgkqhkiG9w0BAQsF AAOCAQEA0IEZBhjo3XgsvZ8iKzNa+M8WZdQ7JDwI9uSajpdsP5K6hciylbnVLumE gvX3P/1Rw//Af3SYQmCHpr0AnWIh3AQVzZcMkTLpYDTkvxrsFFP7ZH4zKSbQBQ90 QqMHWtLZwdIEeEuPENdLNX68xux6lSRJQ1meq82T+8PbzM4VwPEXOTwXZWbD+VvO +n6ih09pHQ6bp5xBdRSa9BxA3eevnIecYNI666jQPXHt8wbl9C14GvKYZiEBTZ6c TeJ87twNhU1rR4wexE4iSrp1iwtKeOn43qt5ahdLeVrd0W9VhFggFi972DHcEs1p VTzEfsC2mgs8aVgNDrHcIm+/C8CUTQ== -----END CERTIFICATE REQUEST-----
Create a x509 v3 certificate extension config
❯ cat san.cnf authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = hostname DNS.2 = hostname.domain DNS.3 = localhost IP.1 = 10.10.10.10 IP.2 = 127.0.0.1
You will need to edit DNS and IP names and for local testing I always like to add localhost and 127.0.0.1
Create public.crt
❯ openssl x509 -req -in public.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out public.crt -days 825 -sha256 -extfile san.cnf Signature ok subject=/C=US Getting CA Private Key
❯ ls ca.crt ca.key ca.srl private.key public.crt public.csr san.cnf ❯ cat public.crt -----BEGIN CERTIFICATE----- MIIDHjCCAgagAwIBAgIJAPHREF8OpfwJMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV BAYTAlVTMB4XDTIyMDIwMjE2Mjg0MFoXDTI0MDUwNzE2Mjg0MFowDTELMAkGA1UE BhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcm/gLx2DU1XuQ u85VpXVFM4LWz95SSUfHBRRp8TsjfhyUiKyB4Re7ss6i/6kvhaGRkSr2fUbTFvuV MmVhVLUst/3f87KWWPKl87sVaLhbBg20fun8C2/cN+ByRPUzGT8pQ+nrcnYM/iGs 9xo24Iek67Rz3WiBkj0/V8aYW7vMvDrUIjHOs+HPNmfJDmw/N3Rf2vY4H8bvCn/V ts/Choez3ZEjQMisNTKAjO+jncQA02N/P08WkoXQIpjEdyGglnQ4rdYrilHNuERP 24pmCERY5CPiLJ7d0JH9KxYXNWyABdFnco/frmR7pggCpF1iLw5nf0K+FODbuKcC kFFJrPPBAgMBAAGjgYAwfjAnBgNVHSMEIDAeoRGkDzANMQswCQYDVQQGEwJVU4IJ AL9qEWkVZY3nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgTwMDsGA1UdEQQ0MDKCCGhv c3RuYW1lgg9ob3N0bmFtZS5kb21haW6CCWxvY2FsaG9zdIcECgoKCocEfwAAATAN BgkqhkiG9w0BAQsFAAOCAQEAa4R07fvVSsUHCk/C3dP0lMWmpj2dc3Iu7JCGSmVK HFPAJKDX76zLUcE0+ibpEtMHn85+Fbw7p2ATq9J4aSvKU1lBg4+ilae3ynbohsbR Dkg+7wvZGc/e+sLSoM3ETZgGNRCCL3Rox5vf5yuxUG4FGVbEfmTG7xHmX/VNGy6R CY76JAnRqzX0H132h2OplaL4NI0O3EghoX056EByjFD7+cZ4NjQ6KSHu2HHqlZj9 Q0h+3nurHdsCtX351zt+jP+jlNCYnxi6gofs4rtr9yp39GQvHt6fre5bent3H4Rk FHg73ErUCqEnlBmiGc2OSQTozKZhulq/RAwMZjHIckTmZg== -----END CERTIFICATE-----
Verify public.crt
❯ openssl x509 -in public.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 17424726433726856201 (0xf1d1105f0ea5fc09)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US
Validity
Not Before: Feb 2 16:28:40 2022 GMT
Not After : May 7 16:28:40 2024 GMT
Subject: C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dc:9b:f8:0b:c7:60:d4:d5:7b:90:bb:ce:55:a5:
75:45:33:82:d6:cf:de:52:49:47:c7:05:14:69:f1:
3b:23:7e:1c:94:88:ac:81:e1:17:bb:b2:ce:a2:ff:
a9:2f:85:a1:91:91:2a:f6:7d:46:d3:16:fb:95:32:
65:61:54:b5:2c:b7:fd:df:f3:b2:96:58:f2:a5:f3:
bb:15:68:b8:5b:06:0d:b4:7e:e9:fc:0b:6f:dc:37:
e0:72:44:f5:33:19:3f:29:43:e9:eb:72:76:0c:fe:
21:ac:f7:1a:36:e0:87:a4:eb:b4:73:dd:68:81:92:
3d:3f:57:c6:98:5b:bb:cc:bc:3a:d4:22:31:ce:b3:
e1:cf:36:67:c9:0e:6c:3f:37:74:5f:da:f6:38:1f:
c6:ef:0a:7f:d5:b6:cf:c2:86:87:b3:dd:91:23:40:
c8:ac:35:32:80:8c:ef:a3:9d:c4:00:d3:63:7f:3f:
4f:16:92:85:d0:22:98:c4:77:21:a0:96:74:38:ad:
d6:2b:8a:51:cd:b8:44:4f:db:8a:66:08:44:58:e4:
23:e2:2c:9e:dd:d0:91:fd:2b:16:17:35:6c:80:05:
d1:67:72:8f:df:ae:64:7b:a6:08:02:a4:5d:62:2f:
0e:67:7f:42:be:14:e0:db:b8:a7:02:90:51:49:ac:
f3:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
DirName:/C=US
serial:BF:6A:11:69:15:65:8D:E7
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Subject Alternative Name:
DNS:hostname, DNS:hostname.domain, DNS:localhost, IP Address:10.10.10.10, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
6b:84:74:ed:fb:d5:4a:c5:07:0a:4f:c2:dd:d3:f4:94:c5:a6:
a6:3d:9d:73:72:2e:ec:90:86:4a:65:4a:1c:53:c0:24:a0:d7:
ef:ac:cb:51:c1:34:fa:26:e9:12:d3:07:9f:ce:7e:15:bc:3b:
a7:60:13:ab:d2:78:69:2b:ca:53:59:41:83:8f:a2:95:a7:b7:
ca:76:e8:86:c6:d1:0e:48:3e:ef:0b:d9:19:cf:de:fa:c2:d2:
a0:cd:c4:4d:98:06:35:10:82:2f:74:68:c7:9b:df:e7:2b:b1:
50:6e:05:19:56:c4:7e:64:c6:ef:11:e6:5f:f5:4d:1b:2e:91:
09:8e:fa:24:09:d1:ab:35:f4:1f:5d:f6:87:63:a9:95:a2:f8:
34:8d:0e:dc:48:21:a1:7d:39:e8:40:72:8c:50:fb:f9:c6:78:
36:34:3a:29:21:ee:d8:71:ea:95:98:fd:43:48:7e:de:7b:ab:
1d:db:02:b5:7d:f9:d7:3b:7e:8c:ff:a3:94:d0:98:9f:18:ba:
82:87:ec:e2:bb:6b:f7:2a:77:f4:64:2f:1e:de:9f:ad:ee:5b:
7a:7b:77:1f:84:64:14:78:3b:dc:4a:d4:0a:a1:27:94:19:a2:
19:cd:8e:49:04:e8:cc:a6:61:ba:5a:bf:44:0c:0c:66:31:c8:
72:44:e6:66
Please take notes that the SAN is set on the public.crt
Verify the cert against the CA
❯ openssl verify -verbose -CAfile ca.crt public.crt public.crt: OK
You will use public.crt and private.key on your server and ca.crt from your client to access your server.
PLEASE DO NOT USE THIS IN PRODUCTION. THIS IS FOR TESTING ONLY
Enjoy!
