allomov
5/29/2016 - 4:39 AM

create or generate certificate

create or generate certificate

[ req ]
distinguished_name     = req_distinguished_name
req_extensions         = server_req_extensions
prompt                 = no

[ req_distinguished_name ]
C                      = US
ST                     = CA
L                      = San Francisco
O                      = Pivotal
OU                     = PCF POC
CN                     = <Your URL>
emailAddress           = <Your email address>

####################################################################
[ server_req_extensions ]

keyUsage                    = critical, digitalSignature, keyEncipherment
subjectAltName              = @alternate_names
basicConstraints            = CA:FALSE

####################################################################
[ alternate_names ]

DNS.1  = <SAN 1>
DNS.2  = <SAN 2>
DNS.3  = <SAN 3>
# wget https://gist.githubusercontent.com/dwallraff/c1ed31291ac7cf19304b/raw/7926af3b843209705427e0c76486ddc7d17d876d/temp.cnf
# Edit temp.cnf for your information
# Run this script

# Using elliptic curve instead of RSA
openssl ecparam -genkey -out keyfile.pem -name prime256v1
# openssl genrsa -out keyfile.pem 2048

# Generate cert
openssl req -x509 -new -key keyfile.pem -out cert.pem -extensions server_req_extensions -config temp.cnf

# With CSR
# openssl req -x509 -new -key keyfile.pem -in csr.csr -out cert.pem -extensions server_req_extensions -config temp.cnf

# Generate CSR using temp.cnf to allow for SANs in the CSR
# openssl req -out csr.csr -key keyfile.pem -nodes -keyout csr.key -new -config temp.cnf

# Generate new key and CSR (RSA)
# openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout keyfile.pem