My solution: openssl req \ -newkey rsa:2048 \ -x509 \ -nodes \ -keyout server.key \ -new \ -out server.crt \ -subj /CN=dev.mycompany.com \ -reqexts SAN \ -extensions SAN \ -config <(cat /System/Library/OpenSSL/openssl.cnf \ <(printf ‘[SAN]\nsubjectAltName=DNS:dev.mycompany.com’)) \ -sha256 \ -days 3650 Status: Works for me
The .crt file is sent to everything that connects; it is public. (chown root:root and chmod 644) To add to the private key location; make sure you secure it properly as well as having it in there. (chown root:ssl-cert and chmod 640)
I’ll answer this in two steps… Do You Need an SSL Cert for Each Subdomain ? Yes and No, it depends. Your standard SSL certificate will be for single domain, say www.domain.example. There are different types of certs you can aside from the standard single domain cert: wildcard and multi domain certs. A wild card … Read more
crt and key files represent both parts of a certificate, key being the private key to the certificate and crt being the signed certificate. It’s only one of the ways to generate certs, another way would be having both inside a pem file or another in a p12 container. You have several ways to generate … Read more
There’s some inconsistency between SSL implementations on how they match wildcards, however you’ll need the root as an alternate name for that to work with most clients. For a *.example.com cert, a.example.com should pass www.example.com should pass example.com should not pass a.b.example.com may pass depending on implementation (but probably not). Essentially, the standards say that … Read more
Certificate lifespan Security Shorter lifespan is better. Simply because revocation is mostly theoretical, in practice it cannot be relied on (big weakness in the public PKI ecosystem). Management Without automation: Longer lifespan is more convenient. LE may not be feasible if you, for whatever reason, cannot automate the certificate management With automation: Lifespan doesn’t matter. … Read more
Convert a DER file (.crt .cer .der) to PEM openssl x509 -inform der -in certificate.cer -out certificate.pem Source
For system-wide use, OpenSSL should provide you /etc/ssl/certs and /etc/ssl/private. The latter of which will be restricted 700 to root:root. If you have an application that doesn’t perform initial privilege separation from root, then it might suit you to locate them somewhere local to the application with the relevantly restricted ownership and permissions.
http://comments.gmane.org/gmane.comp.encryption.openssl.user/43587 suggests this one-liner: openssl crl2pkcs7 -nocrl -certfile CHAINED.pem | openssl pkcs7 -print_certs -text -noout It indeed worked for me, but I don’t understand the details so can’t say if there are any caveats. updated june 22: for openssl 1.1.1 and higher: a single-command answer can be found here serverfault.com/a/1079893 (openssl storeutl -noout -text -certs … Read more
OpenSSL will allow you to look at it if it is installed on your system, using the OpenSSL x509 tool. openssl x509 -in cerfile.cer -noout -text The format of the .CER file might require that you specify a different encoding format to be explicitly called out. openssl x509 -inform pem -in cerfile.cer -noout -text or … Read more