Last active
April 27, 2022 14:10
-
-
Save CallMarl/c7be387b5a1f3e6c20f8430bbb2144af to your computer and use it in GitHub Desktop.
Setup self signed SSL certificate.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apt-get install easy-rsa | |
### Create the tool for the publique key infrastructure center. | |
# | |
# Required to generate the certifate request to the CA. | |
# | |
# Notice : All the stuff can be done with only one instance of | |
# easy RSA but it's easier to understand from this way. | |
mkdir -p /usr/local/src/easyrsa-pki | |
cp /usr/share/easy-rsa/easyrsa /usr/local/src/easyrsa-pki/ | |
echo ' | |
set_var EASYRSA_PKI "/etc/pki" | |
set_var EASYRSA_REQ_COUNTRY "FR" | |
set_var EASYRSA_REQ_PROVINCE "Ile de France" | |
set_var EASYRSA_REQ_CITY "Paris" | |
set_var EASYRSA_REQ_ORG "Company Name" | |
set_var EASYRSA_REQ_EMAIL "email@company-name.com" | |
set_var EASYRSA_REQ_OU "Company Name" | |
' > /usr/local/src/easyrsa-pki/vars | |
### Create the tool for the certificate authority center | |
# | |
mkdir -p /usr/local/src/easyrsa-ca | |
cp /usr/share/easy-rsa/easyrsa /usr/local/src/easyrsa-ca/ | |
echo ' | |
set_var EASYRSA_PKI "/etc/ca" | |
' > /usr/local/src/easyrsa-ca/vars |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alias easyrsa-pki=/usr/local/src/easyrsa-pki/easyrsa | |
alias easyrsa-ca=/usr/local/src/easyrsa-ca/easyrsa | |
### Build the PKI working folder | |
# | |
easyrsa-pki init-pki | |
cp /usr/share/easy-rsa/openssl-easyrsa.cnf /etc/pki/ | |
### Build the CA working folder | |
# | |
easyrsa-ca init-pki | |
cp /usr/share/easy-rsa/openssl-easyrsa.cnf /etc/ca/ | |
easyrsa-ca build-ca nopass | |
cp -r /usr/share/easy-rsa/x509-types /etc/ca/x509-types |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alias easyrsa-pki=/usr/local/src/easyrsa-pki/easyrsa | |
alias easyrsa-ca=/usr/local/src/easyrsa-ca/easyrsa | |
export EASYRSA_KEYNAME=company-name | |
easyrsa-pki gen-req $EASYRSA_KEYNAME nopass | |
easyrsa-ca import-req /etc/pki/reqs/$EASYRSA_KEYNAME.req $EASYRSA_KEYNAME | |
easyrsa-ca sign-req server $EASYRSA_KEYNAME | |
cp -f /etc/ca/issued/$EASYRSA_KEYNAME.crt /etc/pki/$EASYRSA_KEYNAME.crt | |
cp -f /etc/ca/ca.crt /etc/pki/ca.crt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
export EASYRSA_KEYNAME=company-name | |
cp -f /etc/pki/ca.crt /etc/ssl/local-certs/ca.crt | |
cp -f /etc/pki/$EASYRSA_KEYNAME.crt /etc/ssl/local-certs/$EASYRSA_KEYNAME.crt | |
cp -f /etc/pki/private/$EASYRSA_KEYNAME.key /etc/ssl/private/$EASYRSA_KEYNAME.key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
upstream company-name.com { | |
### The SAPI server to serve (php-fpm, uwsgi...) | |
# | |
server 127.0.0.1:5000; | |
} | |
server { | |
listen 80; | |
listen [::]:80; | |
### Redirect all request to https | |
# | |
server_name www.company-name.com company-name.com; | |
return 301 https://$server_name$request_uri; | |
} | |
server { | |
listen 443 ssl; | |
listen [::]:443 ssl; | |
server_name www.company-name.com company-name.com; | |
### The ssl certs and key | |
# | |
ssl_certificate /etc/ssl/local-certs/company-name.crt; | |
ssl_certificate_key /etc/ssl/private/company-name.key; | |
ssl_trusted_certificate /etc/ssl/local-certs/ca.crt; | |
location / { | |
uwsgi_pass company-name.com; | |
### The SAPI server params | |
# | |
include /etc/nginx/uwsgi_params; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment