ca

rsa

openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt


openssl rsa -in ca.key -pubout -out ca.pubkey
openssl rsa -in ca.pubkey -pubin -text -noout
openssl rsa -in ca.key -text -noout
openssl req  -in ca.csr -text -noout 
openssl x509 -in ca.crt -text -noout 

cat << EOF > req.cnf
# The main section is named req because the command we are using is req
# (openssl req ...)
[ req ]
# This specifies the default key size in bits. If not specified then 512 is
# used. It is used if the -new option is used. It can be overridden by using
# the -newkey option. 
default_bits = 2048

# This is the default filename to write a private key to. If not specified the
# key is written to standard output. This can be overridden by the -keyout
# option.
default_keyfile = oats.key

# If this is set to no then if a private key is generated it is not encrypted.
# This is equivalent to the -nodes command line option. For compatibility
# encrypt_rsa_key is an equivalent option. 
encrypt_key = no

# This option specifies the digest algorithm to use. Possible values include
# md5 sha1 mdc2. If not present then MD5 is used. This option can be overridden
# on the command line.
default_md = sha1

# if set to the value no this disables prompting of certificate fields and just
# takes values from the config file directly. It also changes the expected
# format of the distinguished_name and attributes sections.
prompt = no

# if set to the value yes then field values to be interpreted as UTF8 strings,
# by default they are interpreted as ASCII. This means that the field values,
# whether prompted from a terminal or obtained from a configuration file, must
# be valid UTF8 strings.
utf8 = yes

# This specifies the section containing the distinguished name fields to
# prompt for when generating a certificate or certificate request.
distinguished_name = my_req_distinguished_name


# this specifies the configuration file section containing a list of extensions
# to add to the certificate request. It can be overridden by the -reqexts
# command line switch. See the x509v3_config(5) manual page for details of the
# extension section format.
req_extensions = my_extensions

[ my_req_distinguished_name ]
C = PT
ST = Lisboa
L = Lisboa
O  = Oats In The Water
CN = *.oats.org

[ my_extensions ]
basicConstraints=CA:FALSE
subjectAltName=@my_subject_alt_names
subjectKeyIdentifier = hash

[ my_subject_alt_names ]
DNS.1 = *.oats.org
DNS.2 = *.oats.net
DNS.3 = *.oats.in
DNS.4 = oats.org
DNS.5 = oats.net
DNS.6 = oats.in
EOF

# one command
openssl req -new -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt

# generate rsa key
openssl genrsa -out ca.key 2048

# view key 
openssl rsa -in ca.key -noout -text

# export public key
openssl rsa -in ca.key -pubout -out ca.pubkey

# view public key 
openssl rsa -in ca.pubkey -pubin -noout -text



openssl req -new -key ca.key -out ca.csr

# view csr
openssl req -in example.org.csr -noout -text

openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

#ref https://gist.github.com/Soarez/9688998