Your script generates only one certificate, a self-signed certificate. Usually a self-signed certificate is called a root certificate. This can be used as a CA certificate, but often an intermediate CA certificate is created and signed with the Root secret key. This intermediate CA certificate is then used to sign Server certificates. So you have this hierarchy:
Root → CA → Server
CA and Root certificate can be included in the list of trusted certificates. Then a browser that trusts this list will also trust any certificate signed by CA or Root objects.
You do not need to have this hierarchy ... you can use the Root certificate as a CA and skip the middle certificate. You can also use only one self-signed certificate as a Root / Server certificate. See Article (trust self-signed certificates) .
But if you have this hierarchy, here are a few OpenSSL commands to generate the necessary keys and certificates:
# 1. Create Root private key openssl genrsa -out root.key 2048 # 2. Create self-signed Root certificate openssl req -new -key root.key -x509 -out root.crt -days 5000 -sha256 # 3. Create CA private key openssl genrsa -out ca.key 2048 # 4. Create CA CSR openssl req -new -key ca.key -out ca.csr -days 5000 # 5. Sign and create CA certificate openssl x509 -req -in ca.csr -CA root.crt -CAkey root.key -out ca.crt -set_serial 2 -days 5000 -sha256 # 6. Create Server private key openssl genrsa -out server.key 2048 # 7. Create Server CSR openssl req -new -key server.key -out server.csr -days 5000 # 8. Sign and create Server certificate openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -out server.crt -set_serial 3 -days 5000 -sha256
Change the key bits, number of valid days, serial numbers and add the V3 extensions as you see fit.
Also remember that different browsers have different lists that they trust. Chrome and IE use the default Windows list. Firefox has its own list.
gtrig source share