====== Trust self signed certs ======

Debian based:

  cp $DOMAIN_CRT /usr/local/share/ca-certificates/
  update-ca-certificates

Arch Linux:

  trust anchor $DOMAIN_CRT
  #to trust non CA cert, see https://github.com/harvester/harvester/issues/4134#issuecomment-1888918283
  sed -i 's/certificate-category: other-entry/certificate-category: authority/g' $P11_KIT
  update-ca-trust

Alpine:

  cp $DOMAIN_CRT /usr/local/share/ca-certificates/
  update-ca-certificates
  ls -la /etc/ssl/certs/ | grep $DOMAIN_CRT
  
====== General commands ======

create root private key with password protected:

  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes-128-cbc -out root.key 

show private key info:

  openssl pkey -in root.key -text -noout 
  
generate pub key:

  openssl pkey -in root.key -pubout -out root-public.key
  
sign root CA with new private key:

  openssl x509 -in root.crt -signkey root.key -days 3650

add self self signed to trust store:

  # save to /etc/ca-certificates/trust-source
  sudo trust anchor <path to crt>
  

====== Sign fake domain ======

create private keys:

  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out root.key
  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out intermediate.key 
  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out domain.key
  
creating root CSR from existing root cert:

  openssl x509 -x509toreq -in "$ROOT_CRT" -out root.csr -signkey root.key -copy_extensions copyall
  
generate new root cert:

  openssl x509 -req -in root.csr -out root.crt -signkey root.key -days 3650 -copy_extensions copyall
  
creating CSRs from existing intermediate cert:

  openssl x509 -x509toreq -in "$INTER_CRT" -out intermediate.csr -signkey intermediate.key -copy_extensions copyall

resign intermediate certificate from CSR with root CA:
  
  openssl x509 -req -in intermediate.csr -CA root.crt -CAkey root.key -CAcreateserial -out intermediate.crt -copy_extensions copyall -days 3650
  
creating CSRs from existing domain cert:

  openssl x509 -x509toreq -in "$DOMAIN_CRT" -out domain.csr -signkey domain.key -copy_extensions copyall

resign domain certificate from CSR with intermediate CA:
  
  openssl x509 -req -in domain.csr -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -out domain.crt -copy_extensions copyall -days 3650

resign domain certificate from CSR directly with key:

  openssl x509 -req -in domain.csr -key domain.key -out domain.crt -copy_extensions copyall -days 3650
  
====== Create cert for IP ======

create config file req.cnf:

<code>
[req]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
commonName = <IP adress>

[req_ext]
subjectAltName = IP:<IP address>

</code>

generate key:

  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out ip.key
  
generate CSR:

  openssl req -new -key ip.key -out ip.csr -config req.cnfq
  
create cert:

  openssl x509 -req -days 3650 -in ip.csr -signkey ip.key -out ip.cert -extensions req_ext -extfile req.cnf