Discontinued: Nowadays, LetsEncrypt certificates is the better way to go.
Why? Because I would like to rather add a root certificate to all my devices than to accept several domain / IP / purpose specific certificates.
Setup a new directory
sudo -s
mkdir /var/myca
cd /var/myca
Generate a new key AES-256 key for our Root CA.
openssl genrsa -aes256 -out keys/root.key 4096
Sign a new root certificate using the new key.
openssl req -new -key keys/root.key -days 36500 -x509 -out certs/root.crt
Prepare directory and CA files.
touch index.txt
echo '01' > serial
Prepare CA configuration file ( /var/myca/myca.conf )
# OpenSSL Configuration for MyCA
####################################################################
[ ca ]
default_ca = myca
####################################################################
[ myca ]
dir = /var/myca # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
new_certs_dir = $dir/newcerts # default place for new certs.
database = $dir/index.txt # database index file.
certificate = $dir/certs/root.crt # The CA certificate
serial = $dir/serial # The current serial number
private_key = $dir/keys/root.key # The private key
RANDFILE = $dir/.rand # private random number file
#crl_dir = $dir/crl # Where the issued crl are kept
#crlnumber = $dir/crlnumber # the current crl number
#crl = $dir/crl.pem # The current CRL
default_days = 365
default_md = sha1
policy = myca_policy
x509_extensions = myca_extensions
# Policy
policy = myca_policy
# A new one - quells a complaint from openssl ca
unique_subject = no # allow several ctificates with same subject.
####################################################################
[ myca_policy ]
commonName = optional
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
####################################################################
# These extensions are added when 'ca' signs a request.
[ myca_extensions ]
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints = CA:false
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
####################################################################
[ req ]
default_bits = 4096
default_md = aes256
default_keyfile = privkey.pem
#distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = nombstr
####################################################################
[ req_attributes ]
#challengePassword = A challenge password
#challengePassword_min = 0
#challengePassword_max = 20
#unstructuredName = An optional company name
####################################################################
# Extensions for a typical CA
[ v3_ca ]
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
New CSR request with multiple CNs.
openssl req -new -key keys/example.net.wildcard.key
-subj "/C=DE/O=Organisation name/CN=example.net/CN=*.example.net"
-out newcerts/example.net.wildcard.csr
Sign the CSR using our CA
openssl ca -config myca.conf -out certs/example.net.wildcard.crt
-infiles newcerts/example.net.wildcard.csr
Secure directory
chown -R root:root /var/myca
chmod -R 0600 /var/myca