akailash/gist:7ec96e39d6951dd2293308e1d8055307

## gistfile1.txt
CA

Creating a CA(Certifying Authority) certificate and Key (These files can be reused to sign certificates for different purposes so that client machines need no update to trust the corresponding CA)
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

Here is the CA certificate currently used to sign the certificates in our team: ca.pem
Certificate Generation using CA

Creating a Server certificate and Key and signing it with the CA. This is reissued for each domain.
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=*.mydomain.com" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = DNS:*.mydomain.com,IP:127.0.0.1 > extfile.cnf #This step is essential for Chrome since it expects subjectAltName to be present
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem  -CAcreateserial -out server-cert.pem -extfile extfile.cnf #You will be asked for the ca-key pass phrase.
On Server side, it is better to concatenate the server certificate followed by the CA certificate so that anyone accessing it can automatically see the CA certificate and export it to add to system/browser certificates on client side.
Installing the CA certificate

On Client side, the ca.pem needs to be added to the certificates trusted by the system with the following commands:

Edit /etc/hosts to link domain to IP address of server.
For Linux
cp ca.pem ca.crt
sudo cp ca.crt /usr/local/share/ca-certificates/ca.crt
sudo update-ca-certificates
sudo systemctl daemon-reload
sudo systemctl restart docker
For Mac
cp ca.pem ca.crt
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt
# Restart docker daemon to use the added certificate.

The above steps are sufficient for some browsers like Chrome. Some browsers like Firefox may ignore the system certificates and hence require that they are added manually to it.
	CA

	Creating a CA(Certifying Authority) certificate and Key (These files can be reused to sign certificates for different purposes so that client machines need no update to trust the corresponding CA)
	openssl genrsa -aes256 -out ca-key.pem 4096
	openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

	Here is the CA certificate currently used to sign the certificates in our team: ca.pem
	Certificate Generation using CA

	Creating a Server certificate and Key and signing it with the CA. This is reissued for each domain.
	openssl genrsa -out server-key.pem 4096
	openssl req -subj "/CN=*.mydomain.com" -sha256 -new -key server-key.pem -out server.csr
	echo subjectAltName = DNS:*.mydomain.com,IP:127.0.0.1 > extfile.cnf #This step is essential for Chrome since it expects subjectAltName to be present
	openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf #You will be asked for the ca-key pass phrase.
	On Server side, it is better to concatenate the server certificate followed by the CA certificate so that anyone accessing it can automatically see the CA certificate and export it to add to system/browser certificates on client side.
	Installing the CA certificate

	On Client side, the ca.pem needs to be added to the certificates trusted by the system with the following commands:

	Edit /etc/hosts to link domain to IP address of server.
	For Linux
	cp ca.pem ca.crt
	sudo cp ca.crt /usr/local/share/ca-certificates/ca.crt
	sudo update-ca-certificates
	sudo systemctl daemon-reload
	sudo systemctl restart docker
	For Mac
	cp ca.pem ca.crt
	sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt
	# Restart docker daemon to use the added certificate.

	The above steps are sufficient for some browsers like Chrome. Some browsers like Firefox may ignore the system certificates and hence require that they are added manually to it.