How to Create a Server Certificate with Configuration using OpenSSL
In this post, I’ll step by step create a server certificate including configurations like subject alternative names and key identifiers.
Modern browsers include several security controls to make sure you are visiting the exact site that you’ve aimed for. SSL certificates have an important role in achieving this. However, not all server certificates are considered safe by the browsers. For example, for Chrome 58 and later, chrome checks for the existence of subject alternative names (subjectAlternativeName extension) in the server’s SSL certificates and if it is not present displays the following error message to let the users know that the connection might not be private.
NET::ERR_CERT_COMMON_NAME_INVALID
Subject Alternative Name Missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.
With OpenSSL, you can use the subjectAltName extension to specify the subject alternative name.
We will use the config files while creating the certificates to add the extensions. Let’s start…
Generate the root key:
Execute:
openssl genrsa -out "root-ca.key" 4096Generate CSR:
Execute:
openssl req -new -key "root-ca.key" -out "root-ca.csr" -sha256 -subj '/CN=Local Test Root CA'Configure Root CA:
We need to create a file (root-ca.cnf) and add the following content:
[root_ca]
basicConstraints = critical,CA:TRUE,pathlen:1
keyUsage = critical, nonRepudiation, cRLSign, keyCertSign
subjectKeyIdentifier=hashSelf-sign the root certificate:
Normally your signing request is signed by a trusted certificate authority (CA). However, we are doing this for our own testing purposes so we will sign by ourselves.
Execute:
openssl x509 -req -days 3650 -in "root-ca.csr" -signkey "root-ca.key" -sha256 -out "root-ca.crt" -extfile "root-ca.cnf" -extensions root_ca
