Created
May 29, 2017 02:01
-
-
Save akailash/7ec96e39d6951dd2293308e1d8055307 to your computer and use it in GitHub Desktop.
Wildcard self-signed SSL certificate creation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CA | |
Creating a CA(Certifying Authority) certificate and Key (These files can be reused to sign certificates for different purposes so that client machines need no update to trust the corresponding CA) | |
openssl genrsa -aes256 -out ca-key.pem 4096 | |
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem | |
Here is the CA certificate currently used to sign the certificates in our team: ca.pem | |
Certificate Generation using CA | |
Creating a Server certificate and Key and signing it with the CA. This is reissued for each domain. | |
openssl genrsa -out server-key.pem 4096 | |
openssl req -subj "/CN=*.mydomain.com" -sha256 -new -key server-key.pem -out server.csr | |
echo subjectAltName = DNS:*.mydomain.com,IP:127.0.0.1 > extfile.cnf #This step is essential for Chrome since it expects subjectAltName to be present | |
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf #You will be asked for the ca-key pass phrase. | |
On Server side, it is better to concatenate the server certificate followed by the CA certificate so that anyone accessing it can automatically see the CA certificate and export it to add to system/browser certificates on client side. | |
Installing the CA certificate | |
On Client side, the ca.pem needs to be added to the certificates trusted by the system with the following commands: | |
Edit /etc/hosts to link domain to IP address of server. | |
For Linux | |
cp ca.pem ca.crt | |
sudo cp ca.crt /usr/local/share/ca-certificates/ca.crt | |
sudo update-ca-certificates | |
sudo systemctl daemon-reload | |
sudo systemctl restart docker | |
For Mac | |
cp ca.pem ca.crt | |
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt | |
# Restart docker daemon to use the added certificate. | |
The above steps are sufficient for some browsers like Chrome. Some browsers like Firefox may ignore the system certificates and hence require that they are added manually to it. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment