OOKB - Olaf's Own Knowledge Base

Use OpenSSL to create a Certificate Authority certificate and use it to generate certificates for devices in the local LAN This is a description using Window - slight modifications needed for Linux (bash)

Start an administrative PowerShell

$CANAME=<domain_name>-RootCA

mkdir $CANAME
cd $CANAME

openssl genrsa -aes256 -out "$CANAME.key" 4096

Provide a password for the key to protect it from unauthorized use

To avoid changing the CA certificate I'll make it 10 years (3652 days) valid - any other value is possible

openssl req -x509 -new -nodes -key "$CANAME.key" -sha256 -days 3652 -out "$CANAME.crt" -subj '/CN=<MyDomain Root CA>/C=<2_digit_country_code>/ST=<state>/L=<location>/O=<organization>'

Copy the certificate to /usr/local/share/ca-certificates/ Then run as root:

update-ca-certificates

Open (double click) the certificate and install it for the local machine into “Trusted Root Certificate Authorities”

[req]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[req_distinguished_name]
countryName                = Country Name (2 letter code)
stateOrProvinceName        = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
organizationalUnitName     = Organizational Unit Name (eg, section)
commonName                 = Common Name (eg, your name or your server's hostname)

[req_ext]
keyUsage       = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1   = <dnsname1.mydomain.com>
DNS.2   = <dnsname2.mydomain.com>
IP.1    = <aaa.bbb.ccc.ddd.eee>