💾 Archived View for edwardtefft.com › posts › 2021-03-06-self-signed-keys.gmi captured on 2021-12-04 at 18:04:22. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
Published 2021-03-06
I wanted my self-signed certificate to be good for edwardtefft.com AND www.edwardtefft.com.
First, openssl.cnf needed to be edited, but that was the only inconvenience. Note that I use Slackware Linux, so your distribution may keep openssl.cnf somewhere else and with different content.
Edit /etc/ssl/openssl.cnf. Uncomment
req_extensions = v3_req
Also, under the [ v3_req ] section, make sure it says:
[ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = edwardtefft.com DNS.2 = www.edwardtefft.com
Then, generate a key and certificate with the following command:
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout gemkey.pem -out gemcert.pem -extensions 'v3_req'
Most questions it asks can be left blank. Note that a period '.' will leave a field blank. For reference, these are the only questions I answered:
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Kentucky ... Common Name (e.g. server FQDN or YOUR name) []:edwardtefft.com Email Address []:tefftedward@yahoo.com
After those are generated, you can check that your Subject Alternative Names (SANs) are correct by running:
openssl x509 -in gemcert.pem -noout -text
There should be a section in the output that says:
X509v3 Subject Alternative Name: DNS:edwardtefft.com, DNS:www.edwardtefft.com
Sources:
https://tech.lanesnotes.com/2009/04/creating-ssl-certificates-with-multiple.html