OpenSSL
Certificate and CA for HTTPS
Self-signed certificate
To generate a self-signed certificate:
openssl req \ -newkey rsa:4096 \ -x509 \ -sha256 \ -days 3650 \ -noenc \ -out coffeeNET.crt \ -keyout coffeeNET.key \ -subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/CN=lab.home.arpa"
What these options mean:
| Option | Description |
|---|---|
-newkey rsa:4096 |
Generates a new certificate request and a 4096-bit RSA key. The default is 2048 is you don’t specify. |
-x509 |
Specifies that you want to create a self-signed certificate rather than a certificate signing request. |
-sha256 |
Uses the 256-bit SHA (Secure Hash Algorithm) for the certificate. |
-days 3650 |
Sets the validity of the certificate to 3650 days (10 years), but you can adjust this to any positive integer. |
-noenc |
Creates the certificate without a passphrase. Stands for “no encryption”. |
-out coffeeNET.crt |
Outputs the certificate to a file named coffeeNET.crt. |
-keyout coffeeNET.key |
Outputs the private key to a file named coffeeNET.key. |
-subj |
Provides subject information about the certificate. See below. |
Subject information:
| Option | Description |
|---|---|
/C=US |
Country code |
/ST=Illinois |
State |
/L=Chicago |
Locality/city |
/O=coffeeNET |
Organization name |
/OU=Homelab |
Organizational unit |
/CN=lab.home.arpa |
Common name, which is often the fully-qualified domain name for the certificate. |
Certificate Authority
Create a private key for the CA. This key should be encrypted with AES for security reasons, and you should use a strong password of 20+ characters.
openssl req \ -x509 \ -new \ -key coffeeNET-RootCA.key \ -sha256 \ -days 1826 \ -out coffeeNET-RootCA.crt \ -subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/CN=lab.home.arpa"
Add the CA certificate to the trusted root certificates on clients:
sudo cp coffeeNET-RootCA.crt /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust
These steps establish your own CA, after which you can sign certificates with it to be recognized as valid within your network.