create RootCA first
cat createRootCa.sh
#!/usr/bin/env bash
mkdir /root/ca/
openssl genrsa -des3 -out /root/ca/rootCA.key 2048
openssl req -x509 -new -nodes -key /root/ca/rootCA.key -sha256 -days 7300 -out /root/ca/rootCA.pem
Create server.csr.cnf
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = MX
stateOrProvinceName = MX
localityName = CDMX
0.organizationName = domain
organizationalUnitName = domain ltd
commonName = *.domain.com
emailAddress = [email protected]
create v3.ext with:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.domain.com
Create Self signed Certificate
#!/usr/bin/env bash
echo "Edit first server.csr.cnf and v3.ext"
read -n1 -r -p "Press any key to continue..." key
openssl req -new -sha256 -nodes -out domain.com.csr -newkey rsa:2048 -keyout domain.com.key -config /root/ca/server.csr.cnf
openssl x509 -req -in domain.com.csr -CA /root/ca/rootCA.pem -CAkey /root/ca/rootCA.key -CAcreateserial -out domain.com.crt -days 3650 -sha256 -extfile v3.ext
create ca-bundle.crt
cat domain.com.crt rootCA.pem > ca-bundle.crt
use ca-bundle.crt and domain.com.key certificates for apache and nginx