HOWTO
CERTIFICATES
CREATE YOUR OWN CA

Published: 20181221

Tested on:
OpenSSL version: Ubuntu stock
OS: Ubuntu 16.04 (x86_64)

-

CA = Certificate Authority
Key = important file, needs always to be protected
CSR = Certificate Signing Request, when you need someone to verify your key without giving them the key
Cert = Certificate, the public file

Make the CA

# create the private key of your CA  
openssl genrsa -des3 -out myCA.key 4096  
# create a CA-cert which is self-signed by the key  
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 3560 -out myCA.crt

Make a private key and certificate, PEM-format (i.e. for a webserver)

# create a key for the service  
openssl genrsa -out <hostname>.key 4096  
# create a CSR (Certificate Signing Request)  
openssl req -new -key <hostname>.key -out <hostname>.csr  
# create a cert by signing the CSR with your CA-key and CA-cert  
openssl x509 -req -in <hostname>.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial -out <hostname>.crt -days 3650 -sha256 [-extfile <hostname>.ext]

If you want extra hostnames in your certificate, use -extfile
this is how the <hostname>.ext looks like

subjectAltName = @alt_names  
[alt_names]  
DNS.1 = hostname.example.com  
DNS.2 = alternative.example.com  
IP.1  = 192.0.2.1  
IP.2  = 198.51.100.1

Convert key and certificate into PFX-format (i.e. to install into an HP printer)

openssl pkcs12 -export -out <hostname>.pfx -inkey <hostname>.key -in <hostname>.crt

Check fingerprint of cert

openssl x509 -noout -fingerprint -md5    -inform pem -in myCA.crt  
openssl x509 -noout -fingerprint -sha1   -inform pem -in myCA.crt  
openssl x509 -noout -fingerprint -sha256 -inform pem -in myCA.crt

Check contents of cert

openssl x509 -in <filename>.crt -text -noout

-

The cool thing now is that anyone who has myCA.crt can now have a secure connection with CRT-files signed by your CA.