Published: 20181221

Tested on:
OpenSSL version: Ubuntu stock
OS: Ubuntu 16.04 (x86_64)


CA = Certificate Authority
Key = important file, needs always to be protected
CSR = Certificate Signing Request, when you need someone to verify your key without giving them the key
Cert = Certificate, the public file

Make the CA

# create the private key of your CA  
openssl genrsa -des3 -out myCA.key 4096  
# create a CA-cert which is self-signed by the key  
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 3560 -out myCA.crt  

Make a private key and certificate, PEM-format (i.e. for a webserver)

# create a key for the service  
openssl genrsa -out <hostname>.key 4096  
# create a CSR (Certificate Signing Request)  
openssl req -new -key <hostname>.key -out <hostname>.csr  
# create a cert by signing the CSR with your CA-key and CA-cert  
openssl x509 -req -in <hostname>.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial -out <hostname>.crt -days 3650 -sha256 [-extfile <hostname>.ext]  

If you want extra hostnames in your certificate, use -extfile
this is how the <hostname>.ext looks like

subjectAltName = @alt_names  
DNS.1 =  
DNS.2 =  
IP.1  =  
IP.2  =  

Convert key and certificate into PFX-format (i.e. to install into an HP printer)

openssl pkcs12 -export -out <hostname>.pfx -inkey <hostname>.key -in <hostname>.crt  

Check fingerprint of cert

openssl x509 -noout -fingerprint -md5    -inform pem -in myCA.crt  
openssl x509 -noout -fingerprint -sha1   -inform pem -in myCA.crt  
openssl x509 -noout -fingerprint -sha256 -inform pem -in myCA.crt  

Check contents of cert

openssl x509 -in <filename>.crt -text -noout  


The cool thing now is that anyone who has myCA.crt can now have a secure connection with CRT-files signed by your CA.