With a ton of references discoverable on The Interwebz, I spent a couple of hours trying to figure out how to generate a self-signed with the following characteristics:
- 2048-bit key
- sha256 digest
- 10-year certificate life (because, duh, I don't want to do this every year)
- Accepted Use: server auth, client auth
It took pulling pieces from several different resources, documented herein:
Required Software
OpenSSL (command-line software)
Text editor (to create the config file for the cert)
Steps
- Create a text file that specifies the "innards" of the cert:
[req]
default_bits = 2048
encrypt_key = no
distinguished_name = req_dn
prompt = no
[ req_dn ]
CN={replace with server fqdn}
OU={replace with department}
O={replace with company name}
L={replace with city name}
ST={replace with state name}
C={replace with 2-letter country code}
[ exts ]
extendedKeyUsage = serverAuth,clientAuth - Run the following openssl command (all one line) to create the new private key & certificate:
openssl req -x509 -config {replace with name of config file created above} -extensions "exts" -sha256 -nodes -days 3652 -newkey rsa:2048 -keyout host.rsa -out host.cer - Run the following openssl command to bundle the key & cert together in a bundle that can be imported into Windows:
openssl pkcs12 -export -out host.pfx -inkey host.rsa -in host.cer
What's happening
The text file sets up a number of configuration items that you'd either be unable to specify at all (the extensions) or would have to manually input during creation (the distinguished name details).
The request in the second step creates a 2048-bit private key (host.rsa) and a self-signed certificate (host.cer) with a 10-year lifetime (3652 days) with the necessary usage flags and SHA256 digest.
