To access and sync my Owncloud's calendar and contacts with my Android phone in a (more-or-less) secure manner through HTTPS, I needed to get a SSL/TLS certificate. Or precisely: a self-signed root CA (Certification Authority) certificate.
After searching for Howtos and creating a bunch of CA certificates, normal certificates, signing them, signing them vice-versa etc. -- yes, I don't really have a clue -- I mostly run into one of these errors:
- when signing normal cert with CA cert: "not self-signed"
- when self-signing normal cert with itself: "no Basic Constraint CA flag"
Then I finally found (https://langui.sh/2009/01/18/openssl-self-signed-ca/) this one-liner that does the job just fine:
$ openssl req -newkey rsa:2048 -days 365 -x509 -nodes -out root.cer
Make sure to use the domain name you want to use this certificate on as the Common Name (CN).
This creates a certificate file (named as defined in the -out parameter) and a key file, named 'privkey.pem' in my case. I had to upload this in the admin interface of my shared hoster, and 5 minutes later the certificate was installed and accepted by DAVDroid, the Android syncing app.
Tags: owncloud, https, security, webdav, caldav, carddav, openssl, ubuntu, linux
I would recommend you extend the expiration of your root by a lot (and maybe use a 4096 bit key)
There's no official way to extend a root certificate, so after a year (using your command line above), you'll have to redistribute the new root to all clients and you'll basically limit the lifetime of all certificates issued by your root to the lifetime of the root itself (one year).