sslhappy-csr | sslhappy-csr-quick
some notes on how to do it faster
I recommend going through the full-blown process but if you’re in hurry,
here you go. In a nutshell, use -keyout instead of -key.
handy variable for the filenames to be read and written
short=...
prepare the openssl config per cert
vi $short.cnf [req] distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [req_distinguished_name] C = RU emailAddress = EMAIL_HERE L = CITY_HERE O = ORG_HERE OU = ORG_BRANCH_HERE CN = PRIMARY_FQDN_HERE [req_ext] subjectAltName = @alt_names basicConstraints = CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = critical, serverAuth [alt_names] DNS.1 = PRIMARY_FQDN_HERE DNS.2 = ...ANOTHER_FQDN...
here’s a handy script in case you need to load plenty of FQDNs in da SAN
n=1
for domain in `cat domains`; do
echo DNS.$n = $domain
((n++))
done; unset domain
without -key will create an RSA 2048 privkey by default
(even without an existing openssl.cnf:[req])
openssl req -new -keyout $short.key -out $short.csr -config $short.cnf -noenc -sha256 # default # -newkey rsa:2048
so better add the -newkey option and eventually enforce ECC
openssl req -new -keyout $short.key -out $short.csr -config $short.cnf -noenc -sha256 \
-newkey ec:<(openssl ecparam -name prime256v1)
# more options
# -newkey ec:<(openssl ecparam -name prime256v1)
# -newkey ec:<(openssl ecparam -name secp384r1)
fix the perms
chmod 400 $short.key