0

Creating a custom CA and certificates with SAN signed by the CA for testing

There are endless guides on the internet that uses endless methods to generate certificates and CA but I have not found one that is simple to use to create a custom CA and CA signed certificate with SAN (Subject Alternative Name) to perform some testing.

So I created simple set of steps:

Create a ca.key

❯ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
........................................................................................+++
................+++
e is 65537 (0x10001)
❯ ls
ca.key
❯ cat ca.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEArTBn8M9NBHmmVKOCcKl75EYZqv2LvNvNQjSJ0YDHLrXt2CpL
x3N7IDgriLU4TbFVb13yQCPXESQOOBuzNJMqG8Ca5K56RYNBY6QP5k8z195385Qd
QJODgut3A+ACjkWB9iVMHuN+KVXyEcPhl4/UFvYW6+ybvSSmUgfZJ/u3fCh6YaWN
15nVWRI40yDAgvM8EKuPew734ENF1GdSVF+S+m2QhDKR2gn8NkpdvYjKDtKFN2Rh
VjREEb3TuQqttZNykkCira93dr3/ILdTGVxOIkXhdESFdiRMZ9dXOUqozQSALGfw
cXKY2MlrkN+20F/ojoh3IqZs2gJS05udJOaarQIDAQABAoIBADdnBckmN6gX1lq7
F848mZJzzmBBzcLzuZzVO8VWYeGSd2ywUx+R1LCA54RLHKDV+tOuhQF5taIZG6dd
TR2jelP4cFR5cEnubCuY3zE44wfKdiroldcDmY13D9KghZDHsYRxeAFlmwVUJiUC
uZcHfrx9quV8AnImWEJjmldNEexYa94tLM+SahbNEG3H6s2hQE+GvshoVp+IoPPg
sIVZo7AyEj/Z6sdY67YX92aNHeFr1TvSO/knxAryBW1knui8ZlmpFIroEZ8eR/Cn
1SYIWaJZpzz5pmbKIOWHc2uM7rUJzW3Rm8hFzjOCiUgmmYjQROVvLKFMTtiV6mcl
IATnsqECgYEA0pR5fjqdf9NG3C+k8bh/PxKX2MzBmaFMjMdini081l9oN6D1Hjiz
Pw3NZ0iVb+pQceeVLss8v/mX/zhkQ0P+rbiz4Lh191few5/uAxhqVJUVbMPjCYMz
qxTTK3pcpui4PPM8pfFOBFbuXc4QqUf5HYW6HUq0eWWy86U9cB0W0wUCgYEA0otU
r8LlxclOYZkcxqbYe+0/8xxCXaYw5slTbyxlh40wX2vgjmSkeOli8peGfMD07Cfm
DwErvUG5kHiQ30jkEKREy/iQGvz89w/pig48mWg5PYynPXLXh06j/J/MzZGZlorb
7O4xIIZjnCe+tNctDTiALSupzsMY4yFuHwlaiYkCgYAnS/nYKowVvJGuqV14llt4
o7mehadjSgyFAPhQWFTQFIHYT7suZppcm/DG426vseRNPVBDqT2u/Z71y8o6G0g9
lwhKWWH6RHWXwBKklTvSiPe0kmGd9tP/iyVVKcJ8i1VGWoXo2b0bZjWZX8kQLhQ5
BCmVKcnAFdBtU1rBv0vxGQKBgQChC2Q2oLyCgk2LB8PkC2ERwdKlkVsOKP3EugAw
zGPIwG1cv7ZfFIpd1h8ScmazbCCrtoUZuwqK1AgtgptFv4p7VDsvTaxkiFiyXiCD
sgoWSYtnEfwmW36Sh8uVg2HzZ8h0RzibzUIUn9b3bctIpkJWl34rjvdvKPoTWdHS
uaPgCQKBgBWF/01IqxjsVkuo36cel4LSDRObhELcLuBcs9ZdtY+fyEmtrQv+CQzy
EBkPJumIupjnWmwv+OPYNF+fHTmL2PeL2AmuyOpoc09Bpjpf0V0NrqMjIjGdvSlL
cUTGuHhPB+lTxKbE4SHERMMFK1ULfCWujS/8P/EMm5AT1zyW0ToK
-----END RSA PRIVATE KEY-----

Create a ca.crt

❯ openssl req -x509 -sha256 -new -nodes -key ca.key -days 3650 -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:
❯ ls
ca.crt ca.key
❯ cat ca.crt
-----BEGIN CERTIFICATE-----
MIICljCCAX4CCQC/ahFpFWWN5zANBgkqhkiG9w0BAQsFADANMQswCQYDVQQGEwJV
UzAeFw0yMjAyMDIxNjE1MzFaFw0zMjAxMzExNjE1MzFaMA0xCzAJBgNVBAYTAlVT
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArTBn8M9NBHmmVKOCcKl7
5EYZqv2LvNvNQjSJ0YDHLrXt2CpLx3N7IDgriLU4TbFVb13yQCPXESQOOBuzNJMq
G8Ca5K56RYNBY6QP5k8z195385QdQJODgut3A+ACjkWB9iVMHuN+KVXyEcPhl4/U
FvYW6+ybvSSmUgfZJ/u3fCh6YaWN15nVWRI40yDAgvM8EKuPew734ENF1GdSVF+S
+m2QhDKR2gn8NkpdvYjKDtKFN2RhVjREEb3TuQqttZNykkCira93dr3/ILdTGVxO
IkXhdESFdiRMZ9dXOUqozQSALGfwcXKY2MlrkN+20F/ojoh3IqZs2gJS05udJOaa
rQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQADw0wyBu/tALA3jVAOsl948/3YX4cK
cu3hxxyFOiZoZRrPD61asQt7nbpZhEqAim0QzHElafPU18u/XiK4x1MDcFVPx2Hi
A9tTIYtpei1CtQ3Jsrnxdz//84TDzaX/o+JDS/PDLKNTixy8jlt8WOXzt3TYOFI4
EkDaX5jS/MzONLh4oqeogXQ0EArJxL6hJVPFzlz6SgpI8dMR9vz+9bA+4XVT+H/u
ORx1XBhrnTdVJKSeLsa/3FF+gRQmnwjpHnF4HpVkLWV5lOcHpdac+STM0IPWFxQT
aIjrLBG2Qjb6LCV10kvrFxpilahg5CMx52TNP89kOXD6tTzBSBldLhT2
-----END CERTIFICATE-----

view the details of the ca.crt

❯ openssl x509 -in ca.crt -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 13792855951803780583 (0xbf6a116915658de7)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US
        Validity
            Not Before: Feb  2 16:15:31 2022 GMT
            Not After : Jan 31 16:15:31 2032 GMT
        Subject: C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ad:30:67:f0:cf:4d:04:79:a6:54:a3:82:70:a9:
                    7b:e4:46:19:aa:fd:8b:bc:db:cd:42:34:89:d1:80:
                    c7:2e:b5:ed:d8:2a:4b:c7:73:7b:20:38:2b:88:b5:
                    38:4d:b1:55:6f:5d:f2:40:23:d7:11:24:0e:38:1b:
                    b3:34:93:2a:1b:c0:9a:e4:ae:7a:45:83:41:63:a4:
                    0f:e6:4f:33:d7:de:77:f3:94:1d:40:93:83:82:eb:
                    77:03:e0:02:8e:45:81:f6:25:4c:1e:e3:7e:29:55:
                    f2:11:c3:e1:97:8f:d4:16:f6:16:eb:ec:9b:bd:24:
                    a6:52:07:d9:27:fb:b7:7c:28:7a:61:a5:8d:d7:99:
                    d5:59:12:38:d3:20:c0:82:f3:3c:10:ab:8f:7b:0e:
                    f7:e0:43:45:d4:67:52:54:5f:92:fa:6d:90:84:32:
                    91:da:09:fc:36:4a:5d:bd:88:ca:0e:d2:85:37:64:
                    61:56:34:44:11:bd:d3:b9:0a:ad:b5:93:72:92:40:
                    a2:ad:af:77:76:bd:ff:20:b7:53:19:5c:4e:22:45:
                    e1:74:44:85:76:24:4c:67:d7:57:39:4a:a8:cd:04:
                    80:2c:67:f0:71:72:98:d8:c9:6b:90:df:b6:d0:5f:
                    e8:8e:88:77:22:a6:6c:da:02:52:d3:9b:9d:24:e6:
                    9a:ad
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         03:c3:4c:32:06:ef:ed:00:b0:37:8d:50:0e:b2:5f:78:f3:fd:
         d8:5f:87:0a:72:ed:e1:c7:1c:85:3a:26:68:65:1a:cf:0f:ad:
         5a:b1:0b:7b:9d:ba:59:84:4a:80:8a:6d:10:cc:71:25:69:f3:
         d4:d7:cb:bf:5e:22:b8:c7:53:03:70:55:4f:c7:61:e2:03:db:
         53:21:8b:69:7a:2d:42:b5:0d:c9:b2:b9:f1:77:3f:ff:f3:84:
         c3:cd:a5:ff:a3:e2:43:4b:f3:c3:2c:a3:53:8b:1c:bc:8e:5b:
         7c:58:e5:f3:b7:74:d8:38:52:38:12:40:da:5f:98:d2:fc:cc:
         ce:34:b8:78:a2:a7:a8:81:74:34:10:0a:c9:c4:be:a1:25:53:
         c5:ce:5c:fa:4a:0a:48:f1:d3:11:f6:fc:fe:f5:b0:3e:e1:75:
         53:f8:7f:ee:39:1c:75:5c:18:6b:9d:37:55:24:a4:9e:2e:c6:
         bf:dc:51:7e:81:14:26:9f:08:e9:1e:71:78:1e:95:64:2d:65:
         79:94:e7:07:a5:d6:9c:f9:24:cc:d0:83:d6:17:14:13:68:88:
         eb:2c:11:b6:42:36:fa:2c:25:75:d2:4b:eb:17:1a:62:95:a8:
         60:e4:23:31:e7:64:cd:3f:cf:64:39:70:fa:b5:3c:c1:48:19:
         5d:2e:14:f6
-----BEGIN CERTIFICATE-----
MIICljCCAX4CCQC/ahFpFWWN5zANBgkqhkiG9w0BAQsFADANMQswCQYDVQQGEwJV
UzAeFw0yMjAyMDIxNjE1MzFaFw0zMjAxMzExNjE1MzFaMA0xCzAJBgNVBAYTAlVT
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArTBn8M9NBHmmVKOCcKl7
5EYZqv2LvNvNQjSJ0YDHLrXt2CpLx3N7IDgriLU4TbFVb13yQCPXESQOOBuzNJMq
G8Ca5K56RYNBY6QP5k8z195385QdQJODgut3A+ACjkWB9iVMHuN+KVXyEcPhl4/U
FvYW6+ybvSSmUgfZJ/u3fCh6YaWN15nVWRI40yDAgvM8EKuPew734ENF1GdSVF+S
+m2QhDKR2gn8NkpdvYjKDtKFN2RhVjREEb3TuQqttZNykkCira93dr3/ILdTGVxO
IkXhdESFdiRMZ9dXOUqozQSALGfwcXKY2MlrkN+20F/ojoh3IqZs2gJS05udJOaa
rQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQADw0wyBu/tALA3jVAOsl948/3YX4cK
cu3hxxyFOiZoZRrPD61asQt7nbpZhEqAim0QzHElafPU18u/XiK4x1MDcFVPx2Hi
A9tTIYtpei1CtQ3Jsrnxdz//84TDzaX/o+JDS/PDLKNTixy8jlt8WOXzt3TYOFI4
EkDaX5jS/MzONLh4oqeogXQ0EArJxL6hJVPFzlz6SgpI8dMR9vz+9bA+4XVT+H/u
ORx1XBhrnTdVJKSeLsa/3FF+gRQmnwjpHnF4HpVkLWV5lOcHpdac+STM0IPWFxQT
aIjrLBG2Qjb6LCV10kvrFxpilahg5CMx52TNP89kOXD6tTzBSBldLhT2
-----END CERTIFICATE-----

Create your certificate key private.key

❯ openssl genrsa -out private.key 2048
Generating RSA private key, 2048 bit long modulus
........+++
.............................................+++
e is 65537 (0x10001)
❯ ls
ca.crt      ca.key      private.key
❯ cat private.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA3Jv4C8dg1NV7kLvOVaV1RTOC1s/eUklHxwUUafE7I34clIis
geEXu7LOov+pL4WhkZEq9n1G0xb7lTJlYVS1LLf93/OylljypfO7FWi4WwYNtH7p
/Atv3DfgckT1Mxk/KUPp63J2DP4hrPcaNuCHpOu0c91ogZI9P1fGmFu7zLw61CIx
zrPhzzZnyQ5sPzd0X9r2OB/G7wp/1bbPwoaHs92RI0DIrDUygIzvo53EANNjfz9P
FpKF0CKYxHchoJZ0OK3WK4pRzbhET9uKZghEWOQj4iye3dCR/SsWFzVsgAXRZ3KP
365ke6YIAqRdYi8OZ39CvhTg27inApBRSazzwQIDAQABAoIBAA8XMDGGEu6cJ9av
sh6TseDo9CNDlt6kGp/XjhztHnGAF+5lJv+/aQMy6QWnXWhdyL6PYpP339ditBTx
nJO62qXTdC9UmTvFm9uUP5DoV+wKDvfw0oqmMaGrxNOsOeWj7XkiJycu7jpXS/Br
+sQUOdMjOHXQiGyMl1n05CXZ6I/Jk9kCKMwJkuA6jVeLipo2oy6xaWnTJdigl4C5
ZUDjEa/6OeGDJYwfVF+MqDoKoaX4nB7TS2pNGAXZmo7o9wFxIkHZy9ISBJh5R0Ap
t4DeUeQDPaXz2J/zgz6b3lOPG5oj40tPTYbR6IL1PzJz9XIlZErNrUMV46pcAmYt
xj/cvU0CgYEA/uCvxcszYZhwF20vJqsnSAm/HYRlh+NuSPnxM7v1+UOceR4bfdP3
sK1Qt3IJyUTnwvA+ODPgflfMaLHU9g4O+x95G8pjt/noSnkpn2/mielwzD7VsjM6
4ahUN0f0r7CS7lcksC08LCxNqXbrcswADzdPvSZ1BrViupH/adV57AcCgYEA3ZSn
I/5XY/VdjSt0P9Mma9/7hOqEEqF8HTNRsDl7y2xu5lqhNLrWoic8AP2e9hL9fuYt
5xyvRQg0W8kcJoYhKKORQZxgo2SUbnpqcR+2yPpg6rp+6/4e9QV1HGarZlb8tnQl
ZV84TATHxYXGSNxCnaRz0LLMLfcSU1TcQfxHv/cCgYBqN9kI5RYUpiKQoL/1rX5B
V05+Tp7BctaTMxaCKOLpbnPXReTPG3ct+gyZZr0NU9oCM3y6j2QPQye8ud+2a0Vz
AjrGiiHkmhFkd/oQp+G7t716YPVNvmvbfvsZzrL6ROv2x/pSMYfSIOR8q0KUJNAh
hzuD6HL8yLrMZeu7f2vAIQKBgACsPeGvGQbVrOYL1ruG4Zv8PyBFMgd4dA8Go93c
HtMcTi3m4oxtcM9nPRhnrL7kid6DxmnoPWQBRV9t+eboC1u7O2quleCJIqY/OumD
BiQQFpE/5bjDucZWsOdYLHcQFo5bRe3L3zjj3tNrt5FrEcy2vh9JG7OcB3M3U7/j
izg7AoGBAJZd+7dHAbxjt/QWuen1f/E5iL2ltHzThD2yTgGTR+S0G9etW2WOYlb6
+hpV5nOvwW22fZ1SMndHHJxQZhEmOrRQcHhMGTBaP7Lf1mkObNWgr2GHGhTRmR0+
4MqJ/o4tn13zBraN+z6/odcAugeZqWma8HxDFfGbZos11tA+Oy48
-----END RSA PRIVATE KEY-----

Create a CSR public.csr

❯ openssl req -new -key private.key -out public.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
❯
❯ ls
ca.crt      ca.key      private.key public.csr
❯ cat public.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICUjCCAToCAQAwDTELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDcm/gLx2DU1XuQu85VpXVFM4LWz95SSUfHBRRp8TsjfhyUiKyB
4Re7ss6i/6kvhaGRkSr2fUbTFvuVMmVhVLUst/3f87KWWPKl87sVaLhbBg20fun8
C2/cN+ByRPUzGT8pQ+nrcnYM/iGs9xo24Iek67Rz3WiBkj0/V8aYW7vMvDrUIjHO
s+HPNmfJDmw/N3Rf2vY4H8bvCn/Vts/Choez3ZEjQMisNTKAjO+jncQA02N/P08W
koXQIpjEdyGglnQ4rdYrilHNuERP24pmCERY5CPiLJ7d0JH9KxYXNWyABdFnco/f
rmR7pggCpF1iLw5nf0K+FODbuKcCkFFJrPPBAgMBAAGgADANBgkqhkiG9w0BAQsF
AAOCAQEA0IEZBhjo3XgsvZ8iKzNa+M8WZdQ7JDwI9uSajpdsP5K6hciylbnVLumE
gvX3P/1Rw//Af3SYQmCHpr0AnWIh3AQVzZcMkTLpYDTkvxrsFFP7ZH4zKSbQBQ90
QqMHWtLZwdIEeEuPENdLNX68xux6lSRJQ1meq82T+8PbzM4VwPEXOTwXZWbD+VvO
+n6ih09pHQ6bp5xBdRSa9BxA3eevnIecYNI666jQPXHt8wbl9C14GvKYZiEBTZ6c
TeJ87twNhU1rR4wexE4iSrp1iwtKeOn43qt5ahdLeVrd0W9VhFggFi972DHcEs1p
VTzEfsC2mgs8aVgNDrHcIm+/C8CUTQ==
-----END CERTIFICATE REQUEST-----

Create a x509 v3 certificate extension config

❯ cat san.cnf
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = hostname
DNS.2 = hostname.domain
DNS.3 = localhost
IP.1 = 10.10.10.10
IP.2 = 127.0.0.1

You will need to edit DNS and IP names and for local testing I always like to add localhost and 127.0.0.1

Create public.crt

❯ openssl x509 -req -in public.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out public.crt -days 825 -sha256 -extfile san.cnf
Signature ok
subject=/C=US
Getting CA Private Key
❯ ls
ca.crt      ca.key      ca.srl      private.key public.crt  public.csr  san.cnf
❯ cat public.crt
-----BEGIN CERTIFICATE-----
MIIDHjCCAgagAwIBAgIJAPHREF8OpfwJMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV
BAYTAlVTMB4XDTIyMDIwMjE2Mjg0MFoXDTI0MDUwNzE2Mjg0MFowDTELMAkGA1UE
BhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcm/gLx2DU1XuQ
u85VpXVFM4LWz95SSUfHBRRp8TsjfhyUiKyB4Re7ss6i/6kvhaGRkSr2fUbTFvuV
MmVhVLUst/3f87KWWPKl87sVaLhbBg20fun8C2/cN+ByRPUzGT8pQ+nrcnYM/iGs
9xo24Iek67Rz3WiBkj0/V8aYW7vMvDrUIjHOs+HPNmfJDmw/N3Rf2vY4H8bvCn/V
ts/Choez3ZEjQMisNTKAjO+jncQA02N/P08WkoXQIpjEdyGglnQ4rdYrilHNuERP
24pmCERY5CPiLJ7d0JH9KxYXNWyABdFnco/frmR7pggCpF1iLw5nf0K+FODbuKcC
kFFJrPPBAgMBAAGjgYAwfjAnBgNVHSMEIDAeoRGkDzANMQswCQYDVQQGEwJVU4IJ
AL9qEWkVZY3nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgTwMDsGA1UdEQQ0MDKCCGhv
c3RuYW1lgg9ob3N0bmFtZS5kb21haW6CCWxvY2FsaG9zdIcECgoKCocEfwAAATAN
BgkqhkiG9w0BAQsFAAOCAQEAa4R07fvVSsUHCk/C3dP0lMWmpj2dc3Iu7JCGSmVK
HFPAJKDX76zLUcE0+ibpEtMHn85+Fbw7p2ATq9J4aSvKU1lBg4+ilae3ynbohsbR
Dkg+7wvZGc/e+sLSoM3ETZgGNRCCL3Rox5vf5yuxUG4FGVbEfmTG7xHmX/VNGy6R
CY76JAnRqzX0H132h2OplaL4NI0O3EghoX056EByjFD7+cZ4NjQ6KSHu2HHqlZj9
Q0h+3nurHdsCtX351zt+jP+jlNCYnxi6gofs4rtr9yp39GQvHt6fre5bent3H4Rk
FHg73ErUCqEnlBmiGc2OSQTozKZhulq/RAwMZjHIckTmZg==
-----END CERTIFICATE-----

Verify public.crt

❯ openssl x509 -in public.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 17424726433726856201 (0xf1d1105f0ea5fc09)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US
        Validity
            Not Before: Feb  2 16:28:40 2022 GMT
            Not After : May  7 16:28:40 2024 GMT
        Subject: C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:dc:9b:f8:0b:c7:60:d4:d5:7b:90:bb:ce:55:a5:
                    75:45:33:82:d6:cf:de:52:49:47:c7:05:14:69:f1:
                    3b:23:7e:1c:94:88:ac:81:e1:17:bb:b2:ce:a2:ff:
                    a9:2f:85:a1:91:91:2a:f6:7d:46:d3:16:fb:95:32:
                    65:61:54:b5:2c:b7:fd:df:f3:b2:96:58:f2:a5:f3:
                    bb:15:68:b8:5b:06:0d:b4:7e:e9:fc:0b:6f:dc:37:
                    e0:72:44:f5:33:19:3f:29:43:e9:eb:72:76:0c:fe:
                    21:ac:f7:1a:36:e0:87:a4:eb:b4:73:dd:68:81:92:
                    3d:3f:57:c6:98:5b:bb:cc:bc:3a:d4:22:31:ce:b3:
                    e1:cf:36:67:c9:0e:6c:3f:37:74:5f:da:f6:38:1f:
                    c6:ef:0a:7f:d5:b6:cf:c2:86:87:b3:dd:91:23:40:
                    c8:ac:35:32:80:8c:ef:a3:9d:c4:00:d3:63:7f:3f:
                    4f:16:92:85:d0:22:98:c4:77:21:a0:96:74:38:ad:
                    d6:2b:8a:51:cd:b8:44:4f:db:8a:66:08:44:58:e4:
                    23:e2:2c:9e:dd:d0:91:fd:2b:16:17:35:6c:80:05:
                    d1:67:72:8f:df:ae:64:7b:a6:08:02:a4:5d:62:2f:
                    0e:67:7f:42:be:14:e0:db:b8:a7:02:90:51:49:ac:
                    f3:c1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                DirName:/C=US
                serial:BF:6A:11:69:15:65:8D:E7

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name:
                DNS:hostname, DNS:hostname.domain, DNS:localhost, IP Address:10.10.10.10, IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
         6b:84:74:ed:fb:d5:4a:c5:07:0a:4f:c2:dd:d3:f4:94:c5:a6:
         a6:3d:9d:73:72:2e:ec:90:86:4a:65:4a:1c:53:c0:24:a0:d7:
         ef:ac:cb:51:c1:34:fa:26:e9:12:d3:07:9f:ce:7e:15:bc:3b:
         a7:60:13:ab:d2:78:69:2b:ca:53:59:41:83:8f:a2:95:a7:b7:
         ca:76:e8:86:c6:d1:0e:48:3e:ef:0b:d9:19:cf:de:fa:c2:d2:
         a0:cd:c4:4d:98:06:35:10:82:2f:74:68:c7:9b:df:e7:2b:b1:
         50:6e:05:19:56:c4:7e:64:c6:ef:11:e6:5f:f5:4d:1b:2e:91:
         09:8e:fa:24:09:d1:ab:35:f4:1f:5d:f6:87:63:a9:95:a2:f8:
         34:8d:0e:dc:48:21:a1:7d:39:e8:40:72:8c:50:fb:f9:c6:78:
         36:34:3a:29:21:ee:d8:71:ea:95:98:fd:43:48:7e:de:7b:ab:
         1d:db:02:b5:7d:f9:d7:3b:7e:8c:ff:a3:94:d0:98:9f:18:ba:
         82:87:ec:e2:bb:6b:f7:2a:77:f4:64:2f:1e:de:9f:ad:ee:5b:
         7a:7b:77:1f:84:64:14:78:3b:dc:4a:d4:0a:a1:27:94:19:a2:
         19:cd:8e:49:04:e8:cc:a6:61:ba:5a:bf:44:0c:0c:66:31:c8:
         72:44:e6:66

Please take notes that the SAN is set on the public.crt

Verify the cert against the CA

❯ openssl verify -verbose -CAfile ca.crt public.crt
public.crt: OK

You will use public.crt and private.key on your server and ca.crt from your client to access your server.

PLEASE DO NOT USE THIS IN PRODUCTION. THIS IS FOR TESTING ONLY

Enjoy!

jlim0930

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.