Create Self Signed SSL Certs

Mar 22, 2019

Certificates for internal hosts can be self-signed.

Root Certificate (rootCA)

# Create private
$ openssl genrsa -des3 -out rootCA.key 4096

# Self sign the key
$ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem
# Install rootCA on server
$ yum install ca-certificates
$ cp rootCA.pem /etc/pki/ca-trust/source/anchors/rootCA.pem
$ update-ca-trust extract

SAN Certificates

SAN certificates allow the setup of several domains (limited to 100) per certificate.

$ vim openssl.cnf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = [CN]
ST = [Shanghai]
L = [Shanghai]
O = [OrgsName]
OU = [DevOps]
CN = [primary.domain.example]

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = [alt1.domain.example]
DNS.2 = [alt2.domain.example]
DNS.3 = [alt3.example.com]
# Create private key
$ openssl genrsa -des3 -out san.key 4096

# Create CSR SAN
$ openssl req -new -out san.csr -key san.key -config openssl.cnf

# Sign with RootCA cert
$ openssl x509 -req -days 3650 -in san.csr -out san.crt \
  -CA rootCA.pem -CAkey rootCA.key -CAcreateserial  -sha256 \
  -extensions v3_req -extfile openssl.cnf

# Check cert
$ openssl x509 -text -noout -in san.crt

# Create PEM
$ cat san.crt san.key > san.pem

# Convert PFX - required for F5
#$ openssl pkcs12 -export -in san.pem -out san.pfx

# Remove passphrase from san.key
$ openssl rsa -in san.key -out san.key.nopass

# Encrypt via ansible vault
#$ ansible-vault encrypt san.key.nopass