- Create a private key (as Root CA Key), keep this very private
- Self-sign a root certificate
- Install root CA on your various workstations
- Create a CSR(Certificate Signing Request) for each of your authorized needed circumstances(device, server, client, etc.)
- Sign CA with root CA Key
# generate a signing key
openssl genrsa -des3 -out rootCA.key 2048
# request a root certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
#DO NOT forget to validate root cert on macos keychain
#then we can start signing servers cert
# request new key from a config file
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf )
# request new certificate signed with the previous key
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext
[req] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn
[dn] C=US ST=RandomState L=RandomCity O=RandomOrganization OU=RandomOrganizationUnit emailAddress=hello@example.com CN = localhost
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names
[alt_names] DNS.1 = localhost