[openssl-users] scripting creating a cert
Robert Moskowitz
rgm at htt-consult.com
Fri Mar 10 01:43:38 UTC 2017
Viktor,
On 03/09/2017 08:17 PM, Viktor Dukhovni wrote:
>> On Mar 9, 2017, at 6:49 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>>
>> I am creating self-signed certs with:
>>
>> openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509 -extensions v3_req
>>
>> Where, for example:
>>
>> your_host_tld=z9m9z.test.htt-consult.com
>>
>> Thing is that this then prompts for a number of fields
> The simplest solution is to set the subject DN explicitly on the command-line:
>
> $ umask 077 # avoid world-readable private keys
Perhaps (no perhaps about it) this is old information, but I picked up
that I needed:
chmod 640 for the private keys for Apache. (and postfix and others use
these certs; at least they are in their confs)
> $ openssl req -new -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key \
> -x509 -subj "/CN=$(uname -n)" -out certs/$your_host_tld.crt \
> -days 3650 -extensions v3_req
>
> Fore more advanced related approaches see:
>
> https://raw.githubusercontent.com/openssl/openssl/master/test/certs/mkcert.sh
Looks like this is pointing me in the direction I want to go. I will
dig more into this approach.
thank you
More information about the openssl-users
mailing list