If you are fed up with browsers nagging you about the privacy and security of your self-signed apps certificates then it is time you take matters in your own hands and become a full-fledged Certification Authority, without the actual certification part, in just a few simple steps and stop that nagging once and for all.
In order for things to just work you first have to generate a couple of files needed that Certification Authorities need, so type the following on your Linux terminal :
openssl genrsa -des3 -out personal_CA.key 2048
You will be prompted for a passphrase that will prevent anyone who gets your private key from generating a root certificate of their own. Then you generate a root certificate with :
openssl req -x509 -new -nodes -key personal_CA.key -sha256 -days 1825 -out personal_CA.pem
After answering a few questions and giving the passphrase you created earlier a pem file will be created. You now have to import that file on the machines you use to visit your services. If you happen to use Firefox you'll have to go to Settings > Privacy and Security > Certificates, View Certificates and on the Authorities tab hit Import... and select your newly created certificate. On Android you have to go to Phone Settings and from there search for Certificates in order to import yours.
After the CA cert import it is time to generate the certificates for each one of the services you need to secure so as usual you go to your trusty terminal, and you type :
openssl genrsa -out myawesomeservice.lan.key 2048
after that you make a request to the authority that will sign your cert, that would be you by the way, with the following :
openssl req -new -key myawesomeservice.lan.key -out myawesomeservice.lan.csr
You answer the same questions as above and in the end you get a csr file.
Finally, you have to create a config file that will hold the URL of your service, so you open your favorite editor and enter the following :
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = myawesomeservice.lan
You then save the file as
It's now time for the big moment where you get to use all the files created so far in order to get the actual certificate your web server will use, so for that you type :
openssl x509 -req -in myawesomeservice.lan.csr -CA personal_CA.pem -CAkey personal_CA.key -CAcreateserial -out myawesomeservice.lan.crt -days 825 -sha256 -extfile myawesomeservice.lan.ext
You can now use the key along with the certificate for your domain, that would be the .key and the .crt files, copy them on the appropriate folder for your setup and visit your web app in order to reap the fruits of your labor.
After familiarizing yourself with the procedure it is time to create a script for the domain cert part that will speed things up :
#!/bin/sh if [ "$#" -ne 1 ] then echo "Usage: Must supply a domain" exit 1 fi DOMAIN=$1 cd ~/certs openssl genrsa -out $DOMAIN.key 2048 openssl req -new -key $DOMAIN.key -out $DOMAIN.csr cat > $DOMAIN.ext << EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = $DOMAIN EOF openssl x509 -req -in $DOMAIN.csr -CA ../myCA.pem -CAkey ../myCA.key -CAcreateserial -out $DOMAIN.crt -days 825 -sha256 -extfile $DOMAIN.ext
Et Voilà, no more dreaded
‘Your connection is not private’ messages.