Skip to content

Instantly share code, notes, and snippets.

@kfreezen

kfreezen/ssl-certs.markdown

Last active October 10, 2020 18:12
Show Gist options
  • Save kfreezen/cf065810b13660abebc925f94b96e2af to your computer and use it in GitHub Desktop.
Save kfreezen/cf065810b13660abebc925f94b96e2af to your computer and use it in GitHub Desktop.
Download ZIP
Creating a trusted SSL certificate chain on Ubuntu with openssl
Raw
ssl-certs.markdown

Trusted SSL on localhost

I'll try to tell you how to get yourself a nice green "Secure" button on your localhost.

1. Lay the ground work

I stored everything in .ssl in my home folder. To be really secure, make sure you apply proper permissions to this folder.

mkdir .ssl
chmod -R 700 .ssl

This keeps other users from being able to snoop in your home folder's .ssl directory and getting your private keys. Not super-important on a single user dev machine, but very important on a server.

Install ca-certificates with

apt-get install ca-certificates

1. Create a root CA file.

openssl req -x509 -newkey rsa:4096 -nodes -keyout rootCA.key -out rootCA.crt -days 3650

2. Create the CSR for your local machine to use.

Create a file named config.txt (or whatever you want). Modify its contents to look generally like the following.

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=Pennsylvania
L=Philadelphia
O=My Organization
OU=None
emailAddress=you@example.com
CN = 127.0.0.1

Next step: generate the CSR file itself.

Note: This will ask you to enter a pass-phrase for the PEM.

openssl req -new -config config.txt -keyout localhost.key -out localhost.csr

I believe something like the following will work as well if you don't want to enter a password on apache restarts

openssl genrsa 2048 -out localhost.key
openssl req -new -sha256 -nodes -key localhost.key -out localhost.csr -config config.txt

3. Create the certificate for your local dev host to use

Chrome uses the subjectAltName extension when determining valid domain names.

Create a file named extfile.txt

Contents:

subjectAltName=DNS:localhost,IP=127.0.0.1

The next step is to generate your certificate file.

openssl x509 -req -extfile extfile.txt -in localhost.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out localhost.crt -days 365 -sha256

You have a valid certificate now. The only thing left to do is tell your local machine to trust your root CA.

4. Getting your machine to trust you, or your CA

cp rootCA.crt /usr/share/ca-certificates

Next step is to run the reconfiguration for ca-certificates.

dkpg-reconfigure ca-certificates

In the prompt that comes up, select ask and press enter.

Scroll through the list and find your new root CA certificate. Select it with the space bar and press enter.

Once dpkg is done, you should have a functioning trusted CA on your local computer.

Last step is to restart Chrome, go to Chrome Settings, search for 'certificates' and click Manage Certificates.

Find your certificate under Authorities, expand it and click the little vertical dots beside it.

Check the checkboxes you want to use the certificate for and you should be good to go!

P.S.

If this doesn't work for you, please let me know. I want it to be as accurate as possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment