I am hosting some containers at home that I would like protected with TLS. Since the process of creating theses certificates can be easily forgotten, here I am documenting this to my future self. :)
This process generates many files that tend to end with some common extensions. Here are they:
KEY: Private key (Restrictive permissions should be set on this)CSR: Certificate Request (This will be signed by our CA in order to create the server certificates. Afterwards it is not needed and can be deleted)CRT: Certificate (This can be publicly distributed)PEM: We will use this extension for files that contain both the Key and the server Certificate (Some servers need this). Permissions should be restrictive on these files.When creating the private key, you can do it with or without a password.
If you create your private key with a password, you can remove it later. If you need extra security, it is recommended to create the private key with a password, and then removing it every time you need to use it. Doing so you can complete the rest of the steps using a decrypted private key - then you will not have to type in your password every time you use the certificate. :)
$ openssl genrsa -out domain.tld.key 4096
$ openssl genrsa -des3 -out domain.tld.encrypted.key 4096
To remove the password and encryption from the private key and output a decrypted private key:
$ openssl rsa -in domain.tld.encrypted.key -out domain.tld.key
IMPORTANT: The .key file here is your private key. It must be kept a secret.
$ openssl req -new -key domain.tld.key -out domain.tld.csr
$ openssl x509 -req -sha256 -days 365 -in domain.tld.csr -signkey domain.tld.key -out domain.tld.crt
This can be achieved combining the .key and .crtfile together.
$ cat domain.tld.key domain.tld.crt > domain.tld.pem