OpenSSL certificate and CA for HTTPS


Self-signed certificate

To generate a self-signed certificate:

openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -noenc -out coffeeNET.crt -keyout coffeeNET.key -subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/"

What these options mean:

  • -newkey rsa:4096: Generates a new certificate request and a 4096-bit RSA key. The default is 2048 is you don't specify.
  • -x509: Specifies that you want to create a self-signed certificate rather than a certificate signing request (CSR).
  • -sha256: Uses the 256-bit SHA (Secure Hash Algorithm) for the certificate.
  • -days 3650: Sets the validity of the certificate to 3650 days (10 years), but you can adjust this to any positive integer.
  • -noenc: Creates the certificate without a passphrase. Stands for "no encryption".
  • -out coffeeNET.crt: Outputs the certificate to a file named coffeeNET.crt.
  • -keyout coffeeNET.key: Outputs the private key to a file named coffeeNET.key.
  • -subj: Provides subject information about the certificate.

    • /C=US is the country code.
    • /ST=Illinois is the state.
    • /L=Chicago is the locality/city.
    • /O=coffeeNET is the organization name.
    • /OU=Homelab is the organizational unit.
    • / is the common name, which is often the fully-qualified domain name (FQDN) for the certificate.

Certificate Authority

Create a private key for the CA

This key should be encrypted with AES for security reasons, and you should use a strong password of 20+ characters.

openssl genrsa -aes256 -out coffeeNET-RootCA.key 4096

Create the CA certificate

We use the private key we've just created. Use the same subject information as above.

openssl req -x509 -new -noenc -key coffeeNET-RootCA.key -sha256 -days 1826 -out coffeeNET-RootCA.crt -subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/"

Add the CA certificate to the trusted root certificates on client

sudo cp coffeeNET-RootCA.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

These steps establish your own CA, after which you can sign certificates with it to be recognized as valid within your network or organization.

Enter your instance's address