Create cer and pvk with your own CA for website in OpenSSL
Published Date: 2022-02-22 13:00:30Z
There are lots of troubles getting a cer or pvk with your own CA in OpenSSL. Here are the details about the troubles and solutions.
0x0 Environment
- OpenSSL 1.1.1m 14 Dec 2021
0x1 Get your CA certificate (optional)
At first, you need a MyCA.cnf file in working directory.
MyCA.cnf
``` [req] distinguished_name = distinguished_name x509_extensions = root_ca[distinguished_name]
# you can fill data with yours.
countryName = US
# 2 letter-code
countryName_min = 2
countryName_max = 2
stateOrProvinceName = state
localityName = locality
0.organizationName = MyOrganization
organizationalUnitName = technology
commonName = develop
commonName_max = 64
emailAddress = [email protected]
emailAddress_max = 64
[ root_ca ]
basicConstraints = critical, CA:true
```
And then, run the next command in your terminal. `openssl req -x509 -newkey rsa:2048 -out MyCA.cer -outform PEM -keyout MyCA.pvk -days 10000 -verbose -config MyCA.cnf -nodes -sha256 -subj "/CN=MyOrganization CA"`
-newkey: set encryption and key length.-days: set the expiration days.
Now, you have MyCA.cer and MyCA.pvk files in working directory.
0x2 Create pvk and req
Run this command in your terminal to get MyOrg.pvk and MyOrg.req files.
openssl req -newkey rsa:2048 -keyout MyOrg.pvk -out MyOrg.req -subj /CN=localhost -sha256 -nodes
0x3 Get your website cert and pvk with your own CA
At this step, you need a MyOrg.ext file before running the next command.
MyOrg.ext
```
subjectAltName = @MyOrg
extendedKeyUsage = serverAuth
[MyOrg]
DNS.1 = yourDomain.com
IP.1 = 192.168.1.100
IP.2 = 127.0.0.1
```
Run it.
openssl x509 -req -CA MyCA.cer -CAkey MyCA.pvk -in MyOrg.req -out website.cer -days 10000 -extfile MyOrg.ext -sha256 -set_serial 0x1111
0x4 Finished
Install MyCA.cer on your machine.
Add website.cer and MyOrg.pvk to your website or program.
0x5 Extra things
- cert(s) = certificate(s)
- pvk = private key
- pk = public key