Over the years I’ve had to update SSL certificates. Sometimes this is easy, and other times I can’t believe how difficult it can be. In my lab, I have an Ubuntu Server setup to be my Certificate Authority. I create my CA certs and all corresponding certificates using this server. I chose this method instead of using Windows Server Certificate Authority role to help sharpen my Linux skills. Once I create my CA certificate, I use Windows Group Policy to push that certificate to all Windows domain connected workstation and devices. Below are the commands that I use to achieve this. Note this is a Wildcard Certificate
Create your CA certificate.
openssl genrsa -des3 -out SSL_CA.key 4096
openssl req -x509 -new -nodes -key SSL_CA.key -sha256 -days 1825 -out SSL_CA.pem
Create your private key, signing request (CSR), and actual SSL Certificate.
In this step I use a OpenSSL CNF file for part of the certificate creation.
touch ssl.cnf
nano ssl.cnf
basicConstraints=CA:FALSE
subjectAltName=DNS:*.mydomain.local.com
extendedKeyUsage=serverAuth
Okay, once your have your CNF file created, now it’s time to do the dirty work.
openssl genrsa -out mydomain.local.com.key 4096
openssl req -new -key mydomain.local.com.key -extensions v3_ca -out mydomain.local.com.csr
openssl x509 -req -in mydomain.local.com.csr -CA SSL_CA.pem -CAkey SSL_CA.key -CA createserial -extfile ssl.cnf -out mydomain.local.com.crt -days 825 -sha256
Now you should have your CRT and KEY file in the directory that you are running the commands in. Make sure you have your CA certificate in the same directory as well or provide the path to it.
Create a PFX Certificate for IIS and Windows Machines.
openssl pkcs12 -export -out mydomain.local.com.pfx -inkey mydomain.local.com.key -in mydomain.local.com.crt