![]() ![]() Let’s give it a shot one more time… /usr/local/opt/openssl/bin/openssl req -x509 -nodes -days 825 -newkey rsa:4096 \ -addext "subjectAltName = IP:192.168.0.123,DNS:pi.local,DNS:pi.home" \ -addext "extendedKeyUsage = serverAuth" \ -keyout key.pem -out crt.pem Make sure you have Homebrew installed and execute brew install openssl Run again with Homebrew version of OpenSSL We can easily get the “proper” OpenSSL using Homebrew. Installing “proper” OpenSSL using Homebrew $ which opensslĪnd the option we need, -addext, is available only from LibreSSL 3.1.0 (see Release notes). On macOS (Catalina 10.15.3 at the time of writing this post) the OpenSSL is actually LibreSSL. Wait, what? The problem is OpenSSL used by macOS. The command will actually fail with error like this: unknown option -addext Let’s give it a try openssl req -x509 -nodes -days 825 -newkey rsa:4096 \ -addext "subjectAltName = IP:192.168.0.123,DNS:pi.local,DNS:pi.home" \ -addext "extendedKeyUsage = serverAuth" \ -keyout key.pem -out crt.pem Raspberry Pi available on LAN with IP address 192.168.0.123 and domain names pi.local and pi.home.The whole line 2 of the command would look like this: There can be multiple IP address and domain names provided. Where LIST_OF_DOMAINS_OR_IPS must be replaced with comma-separated list of domains and/or IP addresses for which the certificate will be issued. Using OpenSSL it is actually quite easy to generate such certificate openssl req -x509 -nodes -days 825 -newkey rsa:4096 \ -addext "subjectAltName = LIST_OF_DOMAINS_OR_IPS" \ -addext "extendedKeyUsage = serverAuth" \ -keyout key.pem -out crt.pem Prepare OpenSSL command to create certificate Newer versions will likely have newer LibreSSL and make part of the post obsolete. This post is writen based on macOS Catalina (10.15.3). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |