How do I generate fullchain.pem and privkey.pem?

Question

I'm trying to install this project: https://github.com/versatica/mediasoup-demo

It requires fullchain.pem and privkey.pem files. How do I generate these with openssl or something similar, on Ubuntu 20?

Answer 1

openssl genrsa > privkey.pem
openssl req -new -x509 -key privkey.pem > fullchain.pem

Answer 2

Though the accepted answer seems to work (partially), it's got flaws. The following gives you most of what you need for a self-signed certificate:

openssl req -new -x509 -nodes -subj "/CN=my.root" -newkey rsa:2048 -keyout ca.key -out ca.crt -reqexts v3_req -extensions v3_ca
openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout domain.key -config ext.conf -out domain.csr
openssl x509 -req -in domain.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out domain.crt -days 500 -sha256 -extfile ext.conf -extensions req_ext

Sample ext.conf:

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = some_dn

[some_dn]
C = US
ST = Florida
L = Jacksonville
O = SomeOrg
emailAddress = some@email.com
CN = thedomain.com

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = otherdomain.com
IP.1 = 1.2.3.4

Notes:

• Run cp domain.key privkey.pem & cat domain.crt ca.crt > fullchain.pem to get the files OP has mentioned. (unlike the accepted answer, the fullchain must contain CA).
• Omit -nodes if you want the key to have a passphrase.
• In ext.conf, CN is your domain & alt_names contains its aliases (specially if your server is not yet pointed to a domain put your IP here).
• Install ca.crt as a root CA on your client side so that your certificate is recognized.
• -reqexts v3_req -extensions v3_ca ensures compatibility of CA cert with android clients.