===== OpenSSL as CA =====

Use OpenSSL to create a Certificate Authority certificate and use it to generate certificates for devices in the local LAN
This is a description using Window - slight modifications needed for Linux (bash)

==== Create the CA ====
=== Create the directories ===
Start an administrative PowerShell
<code>
$CANAME=<domain_name>-RootCA

mkdir $CANAME
cd $CANAME
</code>

=== Generate the private key ===
<code>
openssl genrsa -aes256 -out "$CANAME.key" 4096
</code>
Provide a password for the key to protect it from unauthorized use

=== Generate the certificate ===
To avoid changing the CA certificate I'll make it 10 years (3652 days) valid - any other value is possible
<code>
openssl req -x509 -new -nodes -key "$CANAME.key" -sha256 -days 3652 -out "$CANAME.crt" -subj '/CN=<MyDomain Root CA>/C=<2_digit_country_code>/ST=<state>/L=<location>/O=<organization>'
</code>

=== Install the root certificate ===
== Linux ==
Copy the certificate to ''/usr/local/share/ca-certificates/''
Then run as root:
<code>
update-ca-certificates
</code>

== Windows ==
Open (double click) the certificate and install it for the local machine into "Trusted Root Certificate Authorities"


==== Create certificates for devices ====

=== Create a config file ===
<code>
[req]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[req_distinguished_name]
countryName                = Country Name (2 letter code)
stateOrProvinceName        = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
organizationalUnitName     = Organizational Unit Name (eg, section)
commonName                 = Common Name (eg, your name or your server's hostname)

[req_ext]
keyUsage       = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1   = <dnsname1.mydomain.com>
DNS.2   = <dnsname2.mydomain.com>
IP.1    = <aaa.bbb.ccc.ddd.eee>
</code>
Save it as <device_name>.<domain>.cfg

=== Create a key and the Certificate Signing Request ===
<code>
openssl req -new -nodes -out <device_name>.<domain>.csr -newkey rsa:2048 -keyout <device_name>.<domain>.key -config <device_name>.<domain>.cfg
</code>
This creates two files: one with the key and one with the CSR.

=== Create the certificate ===
<code>
openssl x509 -req -sha256 -CA <path_and_file_name_Root_CA_cert> -CAkey <path_and_file_name_Root_CA_key> -in <device_name>.<domain>.csr -out <device_name>.<domain>.crt -days 2920 -CAcreateserial -extensions req_ext -extfile <device_name>.<domain>.cfg
</code>