Make yourself a Certification Authority (SSL, HTTPS) and stop browsers from nagging about your connections not being private.

If you are fed up with browsers nagging you about the privacy and security of your self-signed apps certificates then it is time you take matters in your own hands and become a full-fledged Certification Authority, without the actual certification part, in just a few simple steps and stop that nagging once and for all.

In order for things to just work you first have to generate a couple of files needed that Certification Authorities need, so type the following on your Linux terminal :

openssl genrsa -des3 -out personal_CA.key 2048

You will be prompted for a passphrase that will prevent anyone who gets your private key from generating a root certificate of their own. Then you generate a root certificate with :

openssl req -x509 -new -nodes -key personal_CA.key -sha256 -days 1825 -out personal_CA.pem

After answering a few questions and giving the passphrase you created earlier a pem file will be created. You now have to import that file on the machines you use to visit your services. If you happen to use Firefox you'll have to go to Settings > Privacy and Security > Certificates, View Certificates and on the Authorities tab hit Import... and select your newly created certificate. On Android you have to go to Phone Settings and from there search for Certificates in order to import yours.

After the CA cert import it is time to generate the certificates for each one of the services you need to secure so as usual you go to your trusty terminal, and you type :

openssl genrsa -out myawesomeservice.lan.key 2048

after that you make a request to the authority that will sign your cert, that would be you by the way, with the following :

openssl req -new -key myawesomeservice.lan.key -out myawesomeservice.lan.csr

You answer the same questions as above and in the end you get a csr file.

Finally, you have to create a config file that will hold the URL of your service, so you open your favorite editor and enter the following :

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = myawesomeservice.lan

You then save the file as myawesomeservice.lan.ext

It's now time for the big moment where you get to use all the files created so far in order to get the actual certificate your web server will use, so for that you type :

openssl x509 -req -in myawesomeservice.lan.csr -CA personal_CA.pem -CAkey personal_CA.key -CAcreateserial -out myawesomeservice.lan.crt -days 825 -sha256 -extfile myawesomeservice.lan.ext

You can now use the key along with the certificate for your domain, that would be the .key and the .crt files, copy them on the appropriate folder for your setup and visit your web app in order to reap the fruits of your labor.

After familiarizing yourself with the procedure it is time to create a script for the domain cert part that will speed things up :

#!/bin/sh
if [ "$#" -ne 1 ]
then
  echo "Usage: Must supply a domain"
  exit 1
fi
DOMAIN=$1
cd ~/certs
openssl genrsa -out $DOMAIN.key 2048
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr
cat > $DOMAIN.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $DOMAIN
EOF
openssl x509 -req -in $DOMAIN.csr -CA ../myCA.pem -CAkey ../myCA.key -CAcreateserial -out $DOMAIN.crt -days 825 -sha256 -extfile $DOMAIN.ext

Et Voilà, no more dreaded ‘Your connection is not private’ messages.