Create another config file from openssl configuration file.
sudo cp /usr/lib/ssl/openssl.cnf /etc/ssl/app.localhost.cnf
Now copy below code in the respective section of copied configuration file /etc/ssl/app.localhost.cnf
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:TRUE, pathlen:3
keyUsage = critical, cRLSign, keyCertSign
nsCertType = sslCA, emailCA
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#extendedKeyUsage=serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = app.localhost
DNS.2 = localhost
DNS.3 = app1.localhost
Uncomment line.
req_extensions = v3_req
Create CA Certificate :
openssl genrsa -aes256 -out ca.key.pem 2048
chmod 400 ca.key.pem
openssl req -new -x509 -subj "/CN=applocalhostca" -extensions v3_ca -days 3650 -key ca.key.pem -sha256 -out ca.pem -config /etc/ssl/app.localhost.cnf
openssl x509 -in ca.pem -text -noout
Create Server certificate signed by CA :
openssl genrsa -out app.localhost.key.pem 2048
openssl req -subj "/CN=app.localhost" -extensions v3_req -sha256 -new -key app.localhost.key.pem -out app.localhost.csr
openssl x509 -req -extensions v3_req -days 3650 -sha256 -in app.localhost.csr -CA ca.pem -CAkey ca.key.pem -CAcreateserial -out app.localhost.crt -extfile /etc/ssl/app.localhost.cnf
openssl x509 -in app.localhost.crt -text -noout
Now add ca.pem in chrome and firefox,
Chrome > privacy and security > security > manage certificates > authority
firefox > privacy and security > view certificates > authority
Use these crt and key in web server as ssl certificates.
Now open this virtualhost with https. Warning should not be appeared.
No comments:
Post a Comment