Mar 122017
 

TL;DR:

There’s also information on generating self-signed multi domain or subject alternative name (SAN) certificates below.

Explanation


First line generates an eliptic curve key, using the secp521r1 curve and writes it to server.key. Second line generates a self-signed public certificate valid for two years, based on that key.

Parameters:

  • -name secp521r1 : The eliptic curve to use. Wikipedia has a table showing the level of support for different eliptic curves in common libraries. It’s probably best to choose one that is commonly supported.
  • -genkey : Ask for a key to be generated.
  • -noout : Inhibits the output of the encoded version of the parameters. In the somewhat opposite corner, there’s -param_enc explicit, which will store the EC parameters with the key. That makes it possible for systems that do not know the details of the named curve (secp521r1 in this case) to still use it.
  • -out server.key : The file to store the key in

Parameters:

  • -new : New certificate request. Will prompt user for the value of fields in the request, based on OpenSSL config file, if any.
  • -x509 : Generate a self-signed certificate. Omitted if the certificate will be signed by a CA
  • -key server.key : Private key used to generate the certificate
  • -out server.crt : File to store the certificate in
  • -days 730 : Certificate validity. Omitted if the certificate will be signed by a CA

Self-signed SAN (multi-domain) certificates


Generating a SAN certificate is done on the signing request. Using OpenSSL, either create a new file or copy & tweak the default OpenSSL config to have the following section or settings:

The marked lines are just a bonus, having those in simply provides some defaults for the questions asked when generating the signature request.

Assuming a file with the above contents saved under the name crt.conf, the following commands will generate first the private key, then the public certificate valid for three years:

Bonus: Mozilla’s SSL config generator for various web servers.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

(required)

(required)