joe-oli · December 19, 2019 01:12
diff --git a/x509-cert-openSSL.txt b/x509-cert-openSSL.txt
 Creating a Self-Signed Certificate
 Like enabling HTTPS on a production site, you first need a certificate. For a production site, you request one from a certificate authority like Let’s Encrypt, Comodo, etc. For a local dev environment, we can generate a self-signed certificate on the command line. It used to be as simple as this command:

 openssl req -new -sha256 -newkey rsa:2048 -nodes \
 -keyout dev.deliciousbrains.com.key -x509 -days 365 \
 -out dev.deliciousbrains.com.crt
 Running that command, you get asked a few questions:

 Country Name (2 letter code) [AU]:
 State or Province Name (full name) [Some-State]:
 Locality Name (eg, city) []:
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:
 Organizational Unit Name (eg, section) []:
 Common Name (e.g. server FQDN or YOUR name) []:dev.deliciousbrains.com
 Email Address []:
 Most of these questions weren’t important to answer for a dev environment certificate. The answers would show up when looking at the certificate information, but it didn’t have any impact on whether the browser deemed the site to be secure or not. In fact, the only question that really needed an answer was Common Name (CN). The answer to that question determined which domain the certificate was valid for.

 But now, the CN question is also superficial. As of Chrome 58 and Firefox 48 it is ignored when matching a domain name to a certificate.

 So now the domain name must be defined in the Subject Alternative Name (SAN) section (i.e. extension) of the certificate;

 Now when creating a self-signed certificate, we need to provide a configuration file to OpenSSL and define the SAN in that configuration file. Our command becomes:

 openssl req -config dev.deliciousbrains.com.conf -new -sha256 -newkey rsa:2048 \
 -nodes -keyout dev.deliciousbrains.com.key -x509 -days 365 \
 -out dev.deliciousbrains.com.crt

 Use a config in this example:
 http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/27931596#27931596

 The only change I made was replacing the DNS.1 = example.com line with DNS.1 = dev.deliciousbrains.com and removed the rest of the DNS lines underneath it. Here’s the full config with comments removed and formatting cleaned up:

 -----
 [ req ]

 default_bits        = 2048
 default_keyfile     = server-key.pem
 distinguished_name  = subject
 req_extensions      = req_ext
 x509_extensions     = x509_ext
 string_mask         = utf8only

 [ subject ]

 countryName                 = Country Name (2 letter code)
 countryName_default         = US

 stateOrProvinceName         = State or Province Name (full name)
 stateOrProvinceName_default = NY

 localityName                = Locality Name (eg, city)
 localityName_default        = New York

 organizationName            = Organization Name (eg, company)
 organizationName_default    = Example, LLC

 commonName                  = Common Name (e.g. server FQDN or YOUR name)
 commonName_default          = Example Company

 emailAddress                = Email Address
 emailAddress_default        = [email protected]

 [ x509_ext ]

 subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid,issuer

 basicConstraints       = CA:FALSE
 keyUsage               = digitalSignature, keyEncipherment
 subjectAltName         = @alternate_names
 nsComment              = "OpenSSL Generated Certificate"

 [ req_ext ]

 subjectKeyIdentifier = hash

 basicConstraints     = CA:FALSE
 keyUsage             = digitalSignature, keyEncipherment
 subjectAltName       = @alternate_names
 nsComment            = "OpenSSL Generated Certificate"

 [ alternate_names ]

 DNS.1       = dev.deliciousbrains.com
 -----

 Installing the Certificate
 ---
 Next you’ll need to install the certificate into Nginx, Apache, or whatever web server you’re using.
 * If using http-server, it's easy, just put all files in the root, of the folder where you are starting the server, and add the option 
 >http-server --ssl

 When navigating to the https://yourUrl.com
 You may still get a Browser privacy error:

 ERR_CERT_AUTHORITY_INVALID. The browser doesn’t trust the certificate because we self-signed it instead of getting it from a certificate authority. 

 Add it to the Root Store in Windows;

 OR better, you should create your own CERT-AUTHORITY (just another cert - used to generate others);
 - Install the cert-auth cert in the trusted root store;
 - and generate others from it; 
 HOW? Left as an exercise for the reader !
	Creating a Self-Signed Certificate
	Like enabling HTTPS on a production site, you first need a certificate. For a production site, you request one from a certificate authority like Let’s Encrypt, Comodo, etc. For a local dev environment, we can generate a self-signed certificate on the command line. It used to be as simple as this command:

	openssl req -new -sha256 -newkey rsa:2048 -nodes \
	-keyout dev.deliciousbrains.com.key -x509 -days 365 \
	-out dev.deliciousbrains.com.crt
	Running that command, you get asked a few questions:

	Country Name (2 letter code) [AU]:
	State or Province Name (full name) [Some-State]:
	Locality Name (eg, city) []:
	Organization Name (eg, company) [Internet Widgits Pty Ltd]:
	Organizational Unit Name (eg, section) []:
	Common Name (e.g. server FQDN or YOUR name) []:dev.deliciousbrains.com
	Email Address []:
	Most of these questions weren’t important to answer for a dev environment certificate. The answers would show up when looking at the certificate information, but it didn’t have any impact on whether the browser deemed the site to be secure or not. In fact, the only question that really needed an answer was Common Name (CN). The answer to that question determined which domain the certificate was valid for.

	But now, the CN question is also superficial. As of Chrome 58 and Firefox 48 it is ignored when matching a domain name to a certificate.

	So now the domain name must be defined in the Subject Alternative Name (SAN) section (i.e. extension) of the certificate;

	Now when creating a self-signed certificate, we need to provide a configuration file to OpenSSL and define the SAN in that configuration file. Our command becomes:

	openssl req -config dev.deliciousbrains.com.conf -new -sha256 -newkey rsa:2048 \
	-nodes -keyout dev.deliciousbrains.com.key -x509 -days 365 \
	-out dev.deliciousbrains.com.crt

	Use a config in this example:
	http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/27931596#27931596

	The only change I made was replacing the DNS.1 = example.com line with DNS.1 = dev.deliciousbrains.com and removed the rest of the DNS lines underneath it. Here’s the full config with comments removed and formatting cleaned up:

	-----
	[ req ]

	default_bits = 2048
	default_keyfile = server-key.pem
	distinguished_name = subject
	req_extensions = req_ext
	x509_extensions = x509_ext
	string_mask = utf8only

	[ subject ]

	countryName = Country Name (2 letter code)
	countryName_default = US

	stateOrProvinceName = State or Province Name (full name)
	stateOrProvinceName_default = NY

	localityName = Locality Name (eg, city)
	localityName_default = New York

	organizationName = Organization Name (eg, company)
	organizationName_default = Example, LLC

	commonName = Common Name (e.g. server FQDN or YOUR name)
	commonName_default = Example Company

	emailAddress = Email Address
	emailAddress_default = [email protected]

	[ x509_ext ]

	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer

	basicConstraints = CA:FALSE
	keyUsage = digitalSignature, keyEncipherment
	subjectAltName = @alternate_names
	nsComment = "OpenSSL Generated Certificate"

	[ req_ext ]

	subjectKeyIdentifier = hash

	basicConstraints = CA:FALSE
	keyUsage = digitalSignature, keyEncipherment
	subjectAltName = @alternate_names
	nsComment = "OpenSSL Generated Certificate"

	[ alternate_names ]

	DNS.1 = dev.deliciousbrains.com
	-----

	Installing the Certificate
	---
	Next you’ll need to install the certificate into Nginx, Apache, or whatever web server you’re using.
	* If using http-server, it's easy, just put all files in the root, of the folder where you are starting the server, and add the option
	>http-server --ssl

	When navigating to the https://yourUrl.com
	You may still get a Browser privacy error:

	ERR_CERT_AUTHORITY_INVALID. The browser doesn’t trust the certificate because we self-signed it instead of getting it from a certificate authority.

	Add it to the Root Store in Windows;

	OR better, you should create your own CERT-AUTHORITY (just another cert - used to generate others);
	- Install the cert-auth cert in the trusted root store;
	- and generate others from it;
	HOW? Left as an exercise for the reader !