1. Generate the "root" key:
openssl ecparam -out root.key -name prime256v1 -genkey
2. Generate the "root" CSR:
openssl req -new -sha256 -key root.key -out root.csr
3. Generate the "root" cert and self sign it:
openssl x509 -req -sha256 -days 365 -in root.csr -signkey root.key -out root.crt
4. Create the server private key and CSR for the domain "sohammitra.co.in":
openssl ecparam -out sohammitra.co.in.key -name prime256v1 -genkey
openssl req -new -sha256 -key sohammitra.co.in.key -out sohammitra.co.in.csr
5. Sign the CSR with "root" CA key:
openssl x509 -req -in xyz.com.csr -CA root.crt -CAkey root.key -CAcreateserial -out xyz.com.crt -days 3650 -sha256
** How to add SAN while generating the CSR?
Create the following txt file in the same folder where you want to generate the CSR: san_config.txt
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
C = IN
ST = West Bengal
L = Kolkata
O = Soham's Company Pvt. Ltd.
OU = NOC
CN = www.sohammitra.co.in
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = sohammitra.in
DNS.1 = www.sohammitra.in
Execute the following command with the "-config" flag as shown below:
openssl req -new -key sohammitra.co.in.key -out sohammitra.co.in.csr -config san_config.txt
** Sample Virtual Host configuration for Apache HTTPD:
<VirtualHost sohammitra.co.in:443>
DocumentRoot /var/www/sohammitra.co.in
ServerName sohammitra.co.in
SSLEngine on
SSLCertificateFile /home/user/sslcerts/sohammitra.co.in.crt
SSLCertificateKeyFile /home/user/sslcerts/server.key
</VirtualHost>
openssl s_client -connect xyz.com:443 -servername xyz.com -showcerts
** How to validate the password against a *.key file?
openssl rsa -in private.key
(If you typed in the correct password, then you’ll see the decrypted key file and If you typed in the wrong password, then you will see unable to load Private Key.)
** How to look into a .cer file to see the content in plain text?
openssl x509 -in CERTIFICATE_XYZ.cer -text
