How to issue the leaf (end-entity) certificate for a given CSR and a root certificate using `openssl x509`?

• Leaf (end-entity) certificate
• Certificate signing request (CSR)
  • How to create a certificate signing request using openssl req?
• Root certificate
  • How to issue a root certificate using openssl req?
• openssl x509: a certificate display and signing utility

Step 1

Create an .ext file with the contents:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = localhost.com
IP.1 = 127.0.0.1

Adjust [alt_names] for your needs.

Step 2

openssl x509 \
	-CA ../root/.crt \
	-CAcreateserial \
	-CAkey ../root/.key \
	-days 99999 \
	-extfile .ext \
	-in .csr \
	-out .crt \
	-req \
	-sha256

stackoverflow.com/a/60516812