Lars J├Ânsson 2021-02-06

Information about how to create and install certificates.

Create certificates

All new certificates to be used by web browsers need to have a SAN (Subject Alternative Name). Only the CN (Common Name) is not sufficient anymore. Many CAs (Ceritificate Authority) adds the SAN automatically at signing, by copying the CN to SAN. If this is not the case, the SAN needs to be included in the CSR (Certificate Signing Request).

Throughout this chapter <function> is used as a descriptive name of the key, CSR and certificate. <hostname> and <ip-address> are hostname resp. IP address of the server where the certificate will be installed.

Create key and CSR

Create a certificate for a DNS name (domain may be omitted)

$ openssl req -new -newkey rsa:4096 -keyout <function>.key -out <function>.csr

Enter the CSR details when prompted. For some fields there will be a default value. If you enter ., the field will be left blank.

In lab environment where you have your own CA, the Common Name can be an IP address. It is preferred though to avoid IP addresses and use an internal DNS instead. Official CAs will never issue a certificate for an IP address.

Create key and CSR with SAN (Subject Alternative Name)

The SAN needs to be added at the command line. It can be a host name, IP address or both. There can also be multiple host names and IP addresses in the same request.

The other information that needs to be input in the request is same as decribed in Create key and CSR. The Common Name should be set to same as SAN, but in the case multiple names (host name and/or IP address) are used, use the first entry as Common Name.

Create a certificate for a DNS name (domain may be omitted)

$ openssl req -new -newkey rsa:4096 -keyout <function>.key \
  -addext "subjectAltName = DNS:<hostname>" \
  -out <function>.csr

Create a certificate for an IP address

$ openssl req -new -newkey rsa:4096 -keyout <function>.key \
  -addext "subjectAltName = IP:<ip-address>" \
  -out <function>.csr

Example with mutiple SAN entries

$ openssl req -new -newkey rsa:4096 -keyout myserver.key \
  -addext "subjectAltName = DNS:mysersver.example.com,DNS:myserver.example.net,IP:" \
  -out myserver.csr

Sign CSR

Send the CSR to a CA for signing. It can be signed according these instructions, if you have your own private CA.

Now you have a signed certificate that can be installed.

Install certificates

Install root CA certificate on Linux


Install the root CA as a system wide root CA. This needs to be executed on all hosts that needs to trust this root CA.

$ sudo su
# cd /etc/pki/ca-trust/source/anchors/
# cp .../my-root-ca.cert.pem .
# update-ca-trust
# exit

Verify that the new root CA is avalable

$ trust list | less

Install root CA certificates on Windows

Add the extension crt to the certificate(s) that shall be installed. The extension crt is recognized by Windows as a certificate and can be installed by double-clicking on it in Windows Explorer.