Comments on: Signing your own wildcard SSL/HTTPS certificates

By: Chris From NJ

Chris From NJ — Mon, 24 Nov 2014 22:01:00 +0000

Need to update for the SHA-1 removal to SHA-256

openssl req -x509 -new -nodes -key rootCA.key -days 9999 -out rootCA.pem

TO:

openssl req -x509 -sha256 -new -nodes -key rootCA.key -days 9999 -out rootCA.pem

Thanks for the Great Guide!! Truly helped me out!

By: Andrey Fedyashov

Andrey Fedyashov — Sun, 29 Jun 2014 08:00:00 +0000

No problem – your post really helped me. One more improvement could be what I found on http://apetec.com/support/GenerateSAN-CSR.htm – to validate that generated CSR lists alternative names as expected:
openssl.exe req -text -noout -in

By: Andrey Fedyashov

Andrey Fedyashov — Sun, 29 Jun 2014 07:57:00 +0000

Yep, confirmed on both windows and mac – config file should be based on existing openssl config (otherwise it just misses important blocks). I’d suggest rephrasing “Create a file named SITE.cnf, and put the following inside” into something like “make a copy of your openssl.cfg and make the following edits”. In fact, the only edits I had to make were:
[req]
req_extensions = v3_req # <—– make sure it is not commented

[v3_req]
subjectAltName = @alt_names # <—- add this one

[alt_names] # <—- add this whole section
DNS.1 = rogerhub.com
DNS.2 = *.rogerhub.com

By: Roger Chen

Roger Chen — Sun, 29 Jun 2014 04:24:00 +0000

I fixed the instructions. Thanks for the tip!

By: Andrey Fedyashov

Andrey Fedyashov — Sun, 29 Jun 2014 03:53:00 +0000

I also cannot get partial config file to work – getting error “no objects specified in config file”, I think config file should be based on a FULL COPY OF EXISTING openssl config file + edits as you mention.

By: Andrey Fedyashov

Andrey Fedyashov — Sun, 29 Jun 2014 03:18:00 +0000

About: “Under the last block, you can insert as many domains with wildcards as you want. To do this, use the following command to generate your CSR:
$ openssl x509 -req -days 9999 -in SITE.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out SITE.crt -config SITE.cnf”

Command seems to generate certificate -out SITE.CRT instead of CSR.

By: Roger Qiu

Roger Qiu — Fri, 14 Mar 2014 03:00:00 +0000

I made a little repo based on your instructions https://github.com/Polycademy/SSLCreator

By: Roger Qiu

Roger Qiu — Thu, 13 Mar 2014 23:20:00 +0000

There really shouldn’t even be a need for certificates for there to be HTTPS connections. They are separate issues. One is to provide a secure connection, the other is validate the identity of the site/client.

By: Justin Nauman

Justin Nauman — Tue, 11 Mar 2014 16:27:00 +0000

Thanks for the very clear breakdown of the commands, this was something I had not seen in other literature I have read around this.

It explained some of the concepts in a bit more digestable and easy to read format than the RFC.

By: rogerhub

rogerhub — Thu, 05 Sep 2013 16:59:00 +0000

I will let you advertise your website here, but I personally believe the CA system is horribly broken and will be replaced in the future with a distributed system of trust. Check out the perspectives project http://perspectives-project.org/ for an idea.