1# Generating Certificates 2 3## Name Constraints Examples 4 5The following commands were used along with `extensions.conf` to generate the 6certificates in `nc.pem` and `nc_fail.pem`. 7 8``` bash 9# Once for each certificate. 10$ openssl genrsa -out keyN.pem 2048 11$ openssl req -new -key keyN.pem -out certN.csr 12 13# <extension> will be v3_ca_nc for the intermediate and v3_req for the device. 14$ openssl x509 -req -in certN.csr -CA certN-1.pem -CAkey keyN-1.pem 15 -CAcreateserial -extensions <extension> -extfile extensions.conf -out 16 certN.pem -days 365 -sha256 17``` 18 19Note: it looks like `openssl req` also accepts extensions via `-reqexts` but 20there is a known bug in openssl where extensions are transferred between CSRs 21and X509 certs. 22