OpenSSL; Certificates https://letsencrypt.org/docs/certificates-for-localhost/; Dockerfile certs

___certificates.md

Certificates

Generate certificates

#!/bin/bash

LOCATION=${1:-'/tmp'}

# Files required by nginx proxy
SERVER_CERT="${LOCATION}/proxycert"
SERVER_KEY="${LOCATION}/proxykey"
DHPARAM="${LOCATION}/dhparam"

# Files used in generating the required files.
CA_KEY="${LOCATION}/ca.key"
CA_CRT="${LOCATION}/ca.crt"
SERVER_CSR="${LOCATION}/server.csr"

echo $SERVER_KEY, $SERVER_CERT, $DHPARAM, $CA_KEY

printf "# Create new dhparam. This may take a few minutes...\n"
openssl dhparam -out $DHPARAM 128

printf "\n# Create the CA...\n"
# Create the CA Key and Certificate for signing Client Certs
# Just enter 'pass' for the passphrase.
# All other details can be left blank.
openssl genrsa -des3 -out $CA_KEY 4096
openssl req -new -x509 -days 365 -key $CA_KEY -out $CA_CRT

printf "\n# Create the Server Key...\n"
# Create the Server Key, CSR, and Certificate
# I don't want a passphrase here.
# All fields can be left blank
openssl genrsa -out $SERVER_KEY 4096

printf "\n# Create the Server CSR...\n"
openssl req -new -key $SERVER_KEY -out $SERVER_CSR

printf "\n# Self-sign the Server CSR...\n"
# We're self signing our own server cert here. This is a no-no in production.
# Just need to enter same passphrase used in creating the CA.
openssl x509 -req -days 365 -in $SERVER_CSR -CA $CA_CRT -CAkey $CA_KEY -set_serial 01 -out $SERVER_CERT

__dockerfile-for-dotnet-with-certs

FROM microsoft/dotnet:2.0.5-runtime-deps-stretch

ENV TZ CET
RUN echo $TZ > /etc/timezone && \
    apt-get update && apt-get install -y tzdata ca-certificates && \
    rm /etc/localtime && \
    ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && \
    dpkg-reconfigure -f noninteractive tzdata && \
    apt-get clean

COPY ./ca-certificates/TRUSTEDROOT_CER_FILE.crt /usr/local/share/ca-certificates/
COPY ./ca-certificates/DIGICERT_CER_FILE.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates --fresh

RUN mkdir -p /dotnetapp
WORKDIR /dotnetapp
COPY . /dotnetapp

ENTRYPOINT ["/dotnetapp/TheApp"]

__openssl-commands.md

OpenSSL commands for working with certificates

Option 1.

openssl req -x509 -out localhost.crt -keyout localhost.key \
  -newkey rsa:2048 -nodes -sha256 \
  -subj '/CN=localhost' -extensions EXT -config <( \
   printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

Option 2.

openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out csr.pem
openssl x509 -req -days 365 -in csr.pem -signkey key.pem -out server.crt

Option 3.

openssl genrsa -out key.rsa 1024
openssl rsa -in key.rsa -pubout > key.rsa.pub

Option 4. https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/27931596#27931596

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=localhost"

alpine-with-certificates.Dockerfile

FROM alpine
MAINTAINER Octoblu <[email protected]>

RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*

generate-localhost-cert-using-dotnet.sh

 dotnet dev-certs https --trust

generate-localhost-cert-using-openssl.sh

# Option 1.
openssl req -x509 -out localhost.crt -keyout localhost.key \
  -newkey rsa:2048 -nodes -sha256 \
  -subj '/CN=localhost' -extensions EXT -config <( \
   printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
   
# Option 2.
openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out csr.pem
openssl x509 -req -days 365 -in csr.pem -signkey key.pem -out server.crt

# Option 3.
openssl genrsa -out key.rsa 1024
openssl rsa -in key.rsa -pubout > key.rsa.pub

# Option 4. https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/27931596#27931596
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=localhost"

generateSSLCertificates.tsx

import { writeFileSync } from 'fs';

import { exec } from '../utils';
import {
  SSL_FOLDER_PATH,
  SERVER_CRT_PATH,
  SERVER_KEY_PATH,
  CONFIG_SSL_PATH,
} from '../../shared/server/constants';

/**
 * This is the default configuration that openssl will use
 * to generate a new certificate.
 *
 * This is versioned here and regenerated in order to avoid having
 * one more config file floating through the project and also to
 * avoid issues in case you end up missing it in your local environment.
 */
const configuration = `
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=NL
ST=North-Holland
L=Amsterdam
O=Company
OU=Company
[email protected]
CN=localhost
`;

/**
 * This tries to generate the credentials using
 * the constant paths defined outside.
 *
 * This file also should override the one's that already exists
 * to avoid having to handle weird behaviors with the file system.
 */
try {
  /** Creates the hidden folder for ssl certificates. */
  exec(`mkdir -p ${SSL_FOLDER_PATH}`);

  /** Writes down the configuration to be used in the next step. */
  writeFileSync(CONFIG_SSL_PATH, configuration);

  /** Generates the key and crt files using the specified configuration. */
  exec(`openssl req -nodes -new -x509 -keyout ${SERVER_KEY_PATH} -out ${SERVER_CRT_PATH} -config ${CONFIG_SSL_PATH}`);
} catch (err) {
  throw new Error(`Failed to generate SSL credentials: ${err}`);
}