.. rmn1594906401238 .. _create-certificates-locally-using-openssl: ========================================= Create Certificates Locally using openssl ========================================= You can use :command:`openssl` to locally create certificates suitable for use in a lab environment. .. note:: Ensure the certificates have RSA key length >= 2048 bits. The |prod-long| Release |this-ver| provides a new version of ``openssl`` which requires a minimum of 2048-bit keys for RSA for better security / encryption strength. You can check the key length by running ``openssl x509 -in -noout -text`` and looking for the "Public-Key" in the output. .. rubric:: |proc| .. _create-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb: #. Create a Root |CA| Certificate and Key #. Create the Root CA private key. .. code-block:: none $ openssl genrsa -out my-root-ca-key.pem 2048 #. Generate the Root CA x509 certificate. .. code-block:: none $ openssl req -x509 -new -nodes -key my-root-ca-key.pem \ -days 1024 -out my-root-ca-cert.pem -outform PEM #. Create and Sign a Server Certificate and Key. #. Create the Server private key. .. code-block:: none $ openssl genrsa -out my-server-key.pem 2048 #. Create the Server certificate signing request (csr). Specify "CN=registry.local" and do not specify a challenge password. .. code-block:: none $ openssl req -new -key my-server-key.pem -out my-server.csr #. Create the |SANs| list. .. code-block:: none $ echo subjectAltName = IP:,IP:,DNS:registry.local,DNS:registry.central > extfile.cnf #. Use the my-root-ca to sign the server certificate. .. code-block:: none $ openssl x509 -req -in my-server.csr -CA my-root-ca-cert.pem \ -CAkey my-root-ca-key.pem -CAcreateserial -out my-server-cert.pem \ -days 365 -extfile extfile.cnf #. Put the server certificate and key into a single file. .. code-block:: none $ cat my-server-cert.pem my-server-key.pem > my-server.pem