I know how to create a self-signed certificate in a one command:
openssl req -x509 -newkey rsa:4096 \
-keyout my.key -passout pass:123456 -out my.crt \
-days 365 \
-subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \
-addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \
-addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth
But I know another sequence:
- generate private key (
openssl genrsa
) - generate CSR (
openssl req -new
) - sign CSR with private key (
openssl x509
)
like:
openssl genrsa -out my.key -passout pass:123456 2048
openssl req -new \
-key my.key -passin pass:123456 -out my.csr \
-subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal
openssl x509 -req \
-in my.csr -signkey my.key -passin pass:123456 -out my.crt \
-days 3650 -CAcreateserial \
-extensions v3_ca \
-extfile <( \
echo "[v3_ca]"; \
echo "extendedKeyUsage=serverAuth"; \
echo "subjectAltName=DNS:localhost,DNS:web.internal,email:me@mail.internal")
Does it create self-signed certificate functionally identical to above one-liner?