- tls
- x509
- https
- Create CA key
openssl genrsa -des3 -out demo-authority.key 2048- Create CA certificate by self-signing CA key
openssl req -x509 -new -nodes -key demo-authority.key -sha256 -days 1825 -out demo-authority.crt- Trust CA certificate (system / browser)
Varies by operating system. Also some applications have their own way of trusting certificates and don't merely trust certificates trusted by the operating system. E.g. Firefox, npm.
- Create server key
openssl genrsa -out demo-server.key 2048- Create CSR - Certificate Signing Request
openssl req -new -key demo-server.key -out demo-server.csrAlso create demo-server.ext with this content:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
- Send CSR to CA
cp demo-server.csr demo-server.ext ../demo-authority/.
- Sign certificate
openssl x509 -req -in demo-server.csr -CA demo-authority.crt -CAkey demo-authority.key -CAcreateserial -out demo-server.crt -days 1825 -sha256 -extfile demo-server.ext
- Send back to server
cp demo-server.crt ../demo-server/.
I created this summary guide for presentation purposes from the following more detailed guides: