How to create self signed root CA certificate
Generate private key:
$ openssl genrsa -out rootCA.key 2048
Generate root CA certificate:
$ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
Create extension configuration file
Certificate must have subjectAltNames field.
$ nano v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = yellowfruit.lan
Generate private key:
$ openssl genrsa -out device.key.pem 2048
Create CSR:
$ openssl req -new -key device.key.pem -out device.csr
Generate certificate signed with root CA:
$ openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt.pem -days 3650 -sha256 -extfile v3.ext