❗ on git bash on windows you may need to turn off path conversion. |
---|
You can do so with export MSYS_NO_PATHCONV=1 |
First of all you need to have a Root Certificate to sign your issued certificates with
First you need a key to sign your CA certificate with.
Execute this command and save the password somewhere safe like a lastpass or 1Password Vault:
openssl genrsa -des3 -out myCA.key 4096
This will create a file called myCA.key
make sure that the permissions on this file are as restrictive as possible.
This command will allow only you (and the root user) to read the file if you are on a linux system:
# make file not globally readable (Linux file systems only)
chmod 600 myCA.key
This will create a file called myCA.pem
if you do not want warnings regarding untrustet authority you can import this certificate .
openssl req -subj '/CN=ca.stumph.dk/O=JoSSte Development CA/C=DK' -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
This key is used to sign the encrypted traffic.
openssl genrsa -out devserver_stumph_dk.key 4096
This will create a file called devserver_stumph_dk.key
make sure that the permissions on this file are as restrictive as possible.
This command will allow only you (and the root user) to read the file if you are on a linux system:
# make file not globally readable (Linux file systems only)
chmod 600 myCA.key
This step will create a Certificate signing request for a single domain name
openssl req -subj '/CN=devserver.stumph.dk/O=Dev server SSL Certificate/C=DK' -new -key devserver_stumph_dk.key -out devserver_stumph_dk.csr
This step will create a Certificate signing request for a several domains.
Create OpenSSL req.cfg
[req]
req_extensions = v3_req
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = devserver.stumph.dk
DNS.2 = *.devserver.stumph.dk
DNS.3 = someothersubdomain.stumph.dk
This step will create a Certificate signing request for the domains listed above
openssl req -new -key devserver_stumph_dk.key -out devserver_stumph_dk.csr -config req.cfg
openssl x509 -req -in devserver_stumph_dk.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out devserver_stumph_dk.crt -days 1825 -sha256 -extfile devserver_stumph_dk.ext
As long as your CAA certificate is valid, execute step 2.3 to create a new certificate for your server.
If your CA certificate is expired, execute steps 1.2, then 2.3
- https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
- https://www.thewindowsclub.com/manage-trusted-root-certificates-windows
- https://www.globalsign.com/en/ssl-information-center/choosing-safe-key-sizes
- https://codesigningstore.com/how-to-generate-csr-using-openssl
- https://stackoverflow.com/questions/54258996/git-bash-string-parameter-with-at-start-is-being-expanded-to-a-file-path
- Wildcard Certificates
- https://grokify.github.io/security/wildcard-subject-alternative-name-ssl-tls-certificates/
- https://docs.digicert.com/certificate-tools/Certificate-lifecycle-automation-index/automation-user-guide/common-name-cn-wildcard-certificate/
- https://www.rapidsslonline.com/blog/wildcard-ssl-csr-guide-for-apache
- https://aboutssl.org/how-to-generate-csr-for-wildcard-ssl-certificate/
- I have named the certificate files based on the domain or subdomain I am using, replacing the dots with underscores. For this Gist, the servername is devserver.stumph.dk resulting in filenames like devserver_stumph_dk.crt you may choose to name the files anything you desire
- I have chosen a keylength of 4096 bits. You may choose differently. Do some searching around and chose a keylength you are comfortable with. If you are not comfortable with creating keys and certificates, do not use them to secure something you are sensitive about. You should use use letsencrypt or buy a real certificate. I made this guide because i wanted non-self-signed certiifcates for my dev work which is not publicly available.
- I have chosen RSA as the algorithm
genrsa
(RSA) You should research what is the best algorithm to use as you read this article. Never take anything for granted when you are doing cryptographic work. A one-year-old article can be out of date.