Key
$ openssl genpkey -out key.pem -algorithm RSA -pkeyopt rsa_keygen_bits:2048
Output of this is a 2048-bit private key (key.pem).
Certificate
$ openssl req -new -x509 -key key.pem -out cert.pem -days 9999
This takes the private key generated in the step above (key.pem) and creates a self-signed PKI certificate (cert.pem). I put a expiration date of 9999 days on it.
Note - You generally want to use a resolvable DNS entry for the Common Name (CN) field in your certificate. Putting an IP address in that field will bring you troubles from RFC 2818
In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.
Net, you have to add a subjectAltName (SAN) field to your certificate with that same IP address. I can attest that the Java Runtime Environment and node.js enforce this RFC clause. You can avoid the entire problem by using a host name.
Copyright ©1993-2024 Joey E Whelan, All rights reserved.
