cozingo · February 24, 2021 12:56
diff --git a/ssl-localhost1.txt b/ssl-localhost1.txt
 https://medium.com/internshala-tech/adding-self-trusted-ssl-certificate-for-localhost-on-ubuntu-nginx-c66d70b22e4b
diff --git a/ssl-localhost2.txt b/ssl-localhost2.txt
 SSL
 The core function of an SSL certificate is to protect server-client communication. In general terms, your data is locked, gets securely transferred over the network and can be unlocked only by the recipient.
 The SSL protocol includes two sub protocols: the record protocol and the handshake protocol. The handshake protocol defines how a web client and web server establish an SSL connection, including cryptographic systems whereas record protocol defines how communicating hosts will exchange data using SSL.
 Handshake process
 1. Server presents its SSL certificate to authenticate itself to the client. Server certificates follow the X.509 certificate format defined by the Public Key Cryptography Standards (PKCS).
 2. The authentication process uses public key encryption to validate the digital certificate and to confirm that a server is, in fact, the server it claims to be.
 3. Optionally, it also allows the client to authenticate itself to the server. Post server authentication, client must send it’s certificate to server for authentication. Once a client’s identity is authenticated, SSL connection can be established.
 4. Your certificate needs to be issued by a valid certificate authority like Amazon, Godaddy etc
 Why do we need to secure localhost?
 As a developer, you often keep the client and server on same system to speed up your development. Also, in a local testing environment, usually you only work with dummy data. Therefore, the need for securing data in-transit is also not there. In that case the probability of data getting leaked over network is almost zero and hence the need to secure your localhost diminishes. But the need to secure localhost arises when you start using third party API’s. Most of these API’s accept request from SSL connections only.
 What’s self trusted certificate?
 There are lots of organisations that provide SSL certificate (Amazon, Cloudfare, etc). These organisations validate your domain’s web presence before issuing certificates. But as you are looking for SSL for local domain it’ss not even possible, as it’s a special domain that no one can claim ownership of. In that case you attest the certificates yourself.
 How to add SSL certificates for localhost?
 This can be divided in three step:
 Generate certificates
 Configuring NGINX to use it
 Adding it to the cert database for browser usage.
 Generating Certificates
 1. Install OpenSSL
 cd /usr/local/src/
 wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz 
 tar -xf openssl-1.1.1g.tar.gz
 cd openssl-1.1.1g
 sudo ./config -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)'
 sudo make
 sudo make install
 Note: You can choose any OpenSSL tar
 2. Create conf for OpenSSL
 cd
 mkdir local_ssl
 cd local_ssl
 touch open_ssl.conf
 3. Content for open_ssl.conf
 [req]
 distinguished_name = req_distinguished_name
 x509_extensions = v3_req
 prompt = no
 [req_distinguished_name]
 C = <--COUNTRY CODE - 2 Characters-->
 ST = <--PROVINCE/ STATE-->
 L = <--CITY-->
 O = <--ORGANISATION-->
 OU = <--DEPARTMENT-->
 CN = <--CERTIFICATE ISSUER NAME - Can be anything-->
 [v3_req]
 keyUsage = keyEncipherment, dataEncipherment
 extendedKeyUsage = serverAuth
 subjectAltName = @alt_names
 [alt_names]
 DNS.1 = <--DOMAIN NAME-->
 DNS.2 = <--DOMAIN NAME 2-->
 4. Generate certificates
 openssl req -x509 -nodes -days 1024 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config ssl.conf -extensions 'v3_req'
 req is a command that indicates the use of x509.
 x509 is a certificate data management command, indicates the creation of a self-signed certificate;
 nodes is a command that skips the use of a passphrase;
 days 1024 is a term that sets the certificate validity period in days
 newkey rsa: 2048 is a command that generates a new private key using the RSA algorithm with a key length of 2048 bits;
 keyout localhost.key is the path to place the private key file;
 out localhost.crt is the path to place the certificate file;
 config openssl.cnf is the path to the configuration file.
 Configuring NGINX
 Copy certificate and key to ssl directory
 sudo cp localhost.crt /etc/ssl/certs/localhost.crt
 sudo cp localhost.key /etc/ssl/private/localhost.key
 2. NGINX conf
 Add the following lines your *.conf file
 server {
      listen 443 ssl;
      listen [::]:443 ssl;
      ssl_certificate /etc/ssl/certs/localhost.crt;
      ssl_certificate_key /etc/ssl/private/localhost.key;
      ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 If you want to redirect all your HTTP request to HTTPS then add the following code in the *.conf file
 server {
    listen 80;
    listen [::]:80;
    server_name <YOUR-SERVER-NAME>;
    return 301 https://$server_name$request_uri;
 }
 Check NGINX conf and reload NGINX
 sudo nginx -t
 sudo service nginx reload
 Adding certificates to database
 Image for post
 Certificate authority invalid error
 Now if you will open your local website, your website will throw error “Your connection is not secure”. Reason being, NGINX is redirecting it to https domain, but the browser thinks that the certificate is not authentic as it was self attested.
 We need to add the generated SSL certificate to the database that browser uses. For this we will use “certutil” utility which is part of the libnss3-tools package.
 sudo apt-get update
 sudo apt-get install libnss3-tools
 To add certificate to the database, navigate to the directory where localhost.crt is kept and then run the following command.
 certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "localhost" -i localhost.crt
 Now reboot NGINX, close the browser (incognito too) and reopen browser. Restarting of browser is important or else it will not read the update database. While navigating to the your local domain, you can see secure lock over the domain in the url.
 Image for post
 Chrome browser — Certificate issue resolved
 Note: This has been tested on Chrome and opera. And it is working fine on these browsers. Firefox will throw error “Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT”. In that case you need to go to settings and add your local domains certificate to exception. Or you can simply click on “Accept Risk and Continue”.
	SSL
	The core function of an SSL certificate is to protect server-client communication. In general terms, your data is locked, gets securely transferred over the network and can be unlocked only by the recipient.
	The SSL protocol includes two sub protocols: the record protocol and the handshake protocol. The handshake protocol defines how a web client and web server establish an SSL connection, including cryptographic systems whereas record protocol defines how communicating hosts will exchange data using SSL.
	Handshake process
	1. Server presents its SSL certificate to authenticate itself to the client. Server certificates follow the X.509 certificate format defined by the Public Key Cryptography Standards (PKCS).
	2. The authentication process uses public key encryption to validate the digital certificate and to confirm that a server is, in fact, the server it claims to be.
	3. Optionally, it also allows the client to authenticate itself to the server. Post server authentication, client must send it’s certificate to server for authentication. Once a client’s identity is authenticated, SSL connection can be established.
	4. Your certificate needs to be issued by a valid certificate authority like Amazon, Godaddy etc
	Why do we need to secure localhost?
	As a developer, you often keep the client and server on same system to speed up your development. Also, in a local testing environment, usually you only work with dummy data. Therefore, the need for securing data in-transit is also not there. In that case the probability of data getting leaked over network is almost zero and hence the need to secure your localhost diminishes. But the need to secure localhost arises when you start using third party API’s. Most of these API’s accept request from SSL connections only.
	What’s self trusted certificate?
	There are lots of organisations that provide SSL certificate (Amazon, Cloudfare, etc). These organisations validate your domain’s web presence before issuing certificates. But as you are looking for SSL for local domain it’ss not even possible, as it’s a special domain that no one can claim ownership of. In that case you attest the certificates yourself.
	How to add SSL certificates for localhost?
	This can be divided in three step:
	Generate certificates
	Configuring NGINX to use it
	Adding it to the cert database for browser usage.
	Generating Certificates
	1. Install OpenSSL
	cd /usr/local/src/
	wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz
	tar -xf openssl-1.1.1g.tar.gz
	cd openssl-1.1.1g
	sudo ./config -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)'
	sudo make
	sudo make install
	Note: You can choose any OpenSSL tar
	2. Create conf for OpenSSL
	cd
	mkdir local_ssl
	cd local_ssl
	touch open_ssl.conf
	3. Content for open_ssl.conf
	[req]
	distinguished_name = req_distinguished_name
	x509_extensions = v3_req
	prompt = no
	[req_distinguished_name]
	C = <--COUNTRY CODE - 2 Characters-->
	ST = <--PROVINCE/ STATE-->
	L = <--CITY-->
	O = <--ORGANISATION-->
	OU = <--DEPARTMENT-->
	CN = <--CERTIFICATE ISSUER NAME - Can be anything-->
	[v3_req]
	keyUsage = keyEncipherment, dataEncipherment
	extendedKeyUsage = serverAuth
	subjectAltName = @alt_names
	[alt_names]
	DNS.1 = <--DOMAIN NAME-->
	DNS.2 = <--DOMAIN NAME 2-->
	4. Generate certificates
	openssl req -x509 -nodes -days 1024 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config ssl.conf -extensions 'v3_req'
	req is a command that indicates the use of x509.
	x509 is a certificate data management command, indicates the creation of a self-signed certificate;
	nodes is a command that skips the use of a passphrase;
	days 1024 is a term that sets the certificate validity period in days
	newkey rsa: 2048 is a command that generates a new private key using the RSA algorithm with a key length of 2048 bits;
	keyout localhost.key is the path to place the private key file;
	out localhost.crt is the path to place the certificate file;
	config openssl.cnf is the path to the configuration file.
	Configuring NGINX
	Copy certificate and key to ssl directory
	sudo cp localhost.crt /etc/ssl/certs/localhost.crt
	sudo cp localhost.key /etc/ssl/private/localhost.key
	2. NGINX conf
	Add the following lines your *.conf file
	server {
	listen 443 ssl;
	listen [::]:443 ssl;
	ssl_certificate /etc/ssl/certs/localhost.crt;
	ssl_certificate_key /etc/ssl/private/localhost.key;
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	If you want to redirect all your HTTP request to HTTPS then add the following code in the *.conf file
	server {
	listen 80;
	listen [::]:80;
	server_name <YOUR-SERVER-NAME>;
	return 301 https://$server_name$request_uri;
	}
	Check NGINX conf and reload NGINX
	sudo nginx -t
	sudo service nginx reload
	Adding certificates to database
	Image for post
	Certificate authority invalid error
	Now if you will open your local website, your website will throw error “Your connection is not secure”. Reason being, NGINX is redirecting it to https domain, but the browser thinks that the certificate is not authentic as it was self attested.
	We need to add the generated SSL certificate to the database that browser uses. For this we will use “certutil” utility which is part of the libnss3-tools package.
	sudo apt-get update
	sudo apt-get install libnss3-tools
	To add certificate to the database, navigate to the directory where localhost.crt is kept and then run the following command.
	certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "localhost" -i localhost.crt
	Now reboot NGINX, close the browser (incognito too) and reopen browser. Restarting of browser is important or else it will not read the update database. While navigating to the your local domain, you can see secure lock over the domain in the url.
	Image for post
	Chrome browser — Certificate issue resolved
	Note: This has been tested on Chrome and opera. And it is working fine on these browsers. Firefox will throw error “Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT”. In that case you need to go to settings and add your local domains certificate to exception. Or you can simply click on “Accept Risk and Continue”.