Friday, December 23, 2022

Generate secure https certificate for localhost using openssl commands

Create another config file from openssl configuration file. 

sudo cp /usr/lib/ssl/openssl.cnf /etc/ssl/app.localhost.cnf

Now copy below code in the respective section of copied configuration file /etc/ssl/app.localhost.cnf 

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:TRUE, pathlen:3
keyUsage = critical, cRLSign, keyCertSign
nsCertType = sslCA, emailCA

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#extendedKeyUsage=serverAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = app.localhost
DNS.2 = localhost
DNS.3 = app1.localhost


Uncomment line. 

req_extensions = v3_req

Create CA Certificate : 

openssl genrsa -aes256 -out ca.key.pem 2048

chmod 400 ca.key.pem 

openssl req -new -x509 -subj "/CN=applocalhostca" -extensions v3_ca -days 3650 -key ca.key.pem -sha256 -out ca.pem -config /etc/ssl/app.localhost.cnf 

openssl x509 -in ca.pem -text -noout

Create Server certificate signed by CA : 

openssl genrsa -out app.localhost.key.pem 2048

openssl req -subj "/CN=app.localhost" -extensions v3_req -sha256 -new -key app.localhost.key.pem -out app.localhost.csr

openssl x509 -req -extensions v3_req -days 3650 -sha256 -in app.localhost.csr -CA ca.pem -CAkey ca.key.pem -CAcreateserial -out app.localhost.crt -extfile /etc/ssl/app.localhost.cnf

openssl x509 -in app.localhost.crt -text -noout

Now add ca.pem in chrome and firefox,
Chrome > privacy and security > security > manage certificates > authority
firefox > privacy and security > view certificates > authority
 

Use these crt and key in web server as ssl certificates.
Now open this virtualhost with https. Warning should not be appeared.

No comments:

Post a Comment