1. Generate a key "ca.key" using 2048 bits:
openssl genrsa -out ca.key 2048
2. Use the ca.key to generate a certificate "ca.crt" (use -days to set the certificate effective time):
openssl req -x509 -new -nodes -key ca.key \
-subj "/CN=${MASTER_IP}" -days 1000 -out ca.crt
3. Generate a key "server.key" using 2048 bits, same as generate ca key:
openssl genrsa -out server.key 20484. Use the server.key to generate a Certificate Signing Request "server.csr":
openssl req -new -key server.key -subj "/CN=${MASTER_IP}" \
-out server.csr
5.Use the CA key "ca.key", certificate "ca.crt" and a server CSR "server.csr" to generate a certificate "server.crt":
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out server.crt -days 10000
6. View the certificate.
openssl x509 -noout -text -in ./server.crt
The above procedure uses openssl generate the ca certificate, and a server certificate that the ca will be able to validate since the server certificate was generated by using the CA certificate.
csr file - certificate signing request file. It is a message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate.
crt file - certificate file, crt files are used to verify a secure website's authenticity, distributed by certificate authority (CA) companies such as GlobalSign, VeriSign and Thawte.
A certificate contains a public key.
The certificate, in addition to the public key, contains additional information, such as issuer, what it's supposed to be used for, and any other type of metadata.
Typically a certificate is itself signed with a private key, that verifies its authenticity.
