OpenSSL
Make sure /etc/ssl/openssl.cnf has the following:
# Add to [ req ]:
x509_extensions = v3_ca
# Add to file:
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
Root Certificate
# Create directory structure:
mkdir -p ~/onedrive/security/local-ca/{certificates,private-keys}
# Create root certificate using v3_ca extension:
openssl req \
-x509 \
-newkey rsa:4096 \
-keyout ~/onedrive/security/local-ca/private-keys/local_root_ca_key.pem \
-nodes \
-days 10950 \
-sha256 \
-extensions v3_ca \
-subj "/C=GB/ST=LAN/L=LAN/O=Local Certificate Authority/CN=Local Root CA" \
-out ~/onedrive/security/local-ca/certificates/local_root_ca_cert.pem
V3 Extension
Create ~/onedrive/security/local-ca/v3.ext.
[req]
req_extensions = v3_req
[ v3_req ]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.local.lan
DNS.2 = local.lan
Wildcard Certificate
# Create key:
openssl req \
-new \
-newkey rsa:4096 \
-nodes \
-keyout ~/onedrive/security/local-ca/private-keys/local_lan_key.pem \
-subj "/C=GB/ST=LAN/L=LAN/O=Local LAN/CN=*.local.lan" \
-out ~/onedrive/security/local-ca/certificates/local_lan_csr.pem
# Create certificate:
sudo openssl x509 \
-req \
-in ~/onedrive/security/local-ca/certificates/local_lan_csr.pem \
-extfile ~/onedrive/security/local-ca/v3.ext \
-extensions v3_req \
-CA ~/onedrive/security/local-ca/certificates/local_root_ca_cert.pem \
-CAkey ~/onedrive/security/local-ca/private-keys/local_root_ca_key.pem \
-CAcreateserial \
-out ~/onedrive/security/local-ca/certificates/local_lan_cert.pem \
-days 365 \
-sha256