OpenSSL certificate and CA for HTTPS
To generate a self-signed certificate:
openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -noenc -out coffeeNET.crt -keyout coffeeNET.key -subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/CN=lab.home.arpa"
What these options mean:
-newkey rsa:4096: Generates a new certificate request and a 4096-bit RSA key. The default is 2048 is you don't specify.
-x509: Specifies that you want to create a self-signed certificate rather than a certificate signing request (CSR).
-sha256: Uses the 256-bit SHA (Secure Hash Algorithm) for the certificate.
-days 3650: Sets the validity of the certificate to 3650 days (10 years), but you can adjust this to any positive integer.
-noenc: Creates the certificate without a passphrase. Stands for "no encryption".
-out coffeeNET.crt: Outputs the certificate to a file named
-keyout coffeeNET.key: Outputs the private key to a file named
-subj: Provides subject information about the certificate.
/C=USis the country code.
/ST=Illinoisis the state.
/L=Chicagois the locality/city.
/O=coffeeNETis the organization name.
/OU=Homelabis the organizational unit.
/CN=lab.home.arpais the common name, which is often the fully-qualified domain name (FQDN) for the certificate.
Create a private key for the CA
This key should be encrypted with AES for security reasons, and you should use a strong password of 20+ characters.
openssl genrsa -aes256 -out coffeeNET-RootCA.key 4096
Create the CA certificate
We use the private key we've just created. Use the same subject information as above.
openssl req -x509 -new -noenc -key coffeeNET-RootCA.key -sha256 -days 1826 -out coffeeNET-RootCA.crt -subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/CN=lab.home.arpa"
Add the CA certificate to the trusted root certificates on client
sudo cp coffeeNET-RootCA.crt /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust
These steps establish your own CA, after which you can sign certificates with it to be recognized as valid within your network or organization.