quick create root CA and self signed for chrome 58+

por | 12 febrero, 2018

create RootCA first

cat createRootCa.sh
#!/usr/bin/env bash
mkdir /root/ca/
openssl genrsa -des3 -out /root/ca/rootCA.key 2048
openssl req -x509 -new -nodes -key /root/ca/rootCA.key -sha256 -days 7300 -out /root/ca/rootCA.pem

Create server.csr.cnf

default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = MX
stateOrProvinceName = MX
localityName = CDMX
0.organizationName = domain
organizationalUnitName = domain ltd
commonName = *.domain.com
emailAddress = [email protected]

create v3.ext with:

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
DNS.1 = *.domain.com

Create Self signed Certificate

#!/usr/bin/env bash
echo "Edit first server.csr.cnf and v3.ext"
read -n1 -r -p "Press any key to continue..." key
openssl req -new -sha256 -nodes -out domain.com.csr -newkey rsa:2048 -keyout domain.com.key -config /root/ca/server.csr.cnf
openssl x509 -req -in domain.com.csr -CA /root/ca/rootCA.pem -CAkey /root/ca/rootCA.key -CAcreateserial -out domain.com.crt -days 3650 -sha256 -extfile v3.ext


create ca-bundle.crt

cat domain.com.crt rootCA.pem > ca-bundle.crt

use ca-bundle.crt and domain.com.key certificates for apache and nginx