[openssl-users] scripting creating a cert

Robert Moskowitz rgm at htt-consult.com
Fri Mar 10 01:43:38 UTC 2017


On 03/09/2017 08:17 PM, Viktor Dukhovni wrote:
>> On Mar 9, 2017, at 6:49 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>> I am creating self-signed certs with:
>> openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509 -extensions v3_req
>> Where, for example:
>> your_host_tld=z9m9z.test.htt-consult.com
>> Thing is that this then prompts for a number of fields
> The simplest solution is to set the subject DN explicitly on the command-line:
>     $ umask 077 # avoid world-readable private keys

Perhaps (no perhaps about it) this is old information, but I picked up 
that I needed:

chmod 640 for the private keys for Apache.  (and postfix and others use 
these certs; at least they are in their confs)

>     $ openssl req -new -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key \
> 	-x509 -subj "/CN=$(uname -n)" -out certs/$your_host_tld.crt \
> 	-days 3650 -extensions v3_req
> Fore more advanced related approaches see:
>      https://raw.githubusercontent.com/openssl/openssl/master/test/certs/mkcert.sh

Looks like this is pointing me in the direction I want to go.  I will 
dig more into this approach.

thank you

More information about the openssl-users mailing list