Skip to content

Instantly share code, notes, and snippets.

@kylewin
Last active May 12, 2024 03:51
Show Gist options
  • Save kylewin/3334d904fb0160d0c2ad125b3fe8077c to your computer and use it in GitHub Desktop.
Save kylewin/3334d904fb0160d0c2ad125b3fe8077c to your computer and use it in GitHub Desktop.
Self-signed RootCA

RootCA installation

Generate a RootCA private key

openssl genrsa -out ca.key 2048

Generate a Cert from RootCA private key

openssl req -new -x509 -key ca.key -out ca.crt

Add RootCA to local OS

On Macbook, open Keychain -> File -> Import Items ... -> ca.crt. Right click on myCA -> Trust
On Ubuntu, install `ca-certificates`. Copy ca.crt to `/usr/local/share/ca-certificates/myCA.crt`. Refresh with `sudo update-ca-certificates`

Client to ask RootCA for Cert signing

Generate a Private Key from a client named myabc.net

openssl genrsa -out myabc.net.key 2048

Generate a CSR from that Private Key, this CSR is used to send to RootCA to sign

openssl req -new -key myabc.net.key -out myabc.net.csr

(extension file may needed to edit SAN)

myabc.net.ext:

basicConstraints=CA:FALSE
subjectAltName=DNS:*.myabc.net,DNS:myabc.net
extendedKeyUsage=serverAuth

Sign CSR with RootCA above

openssl x509 -req -in myabc.net.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out myabc.net.crt -sha256 -extfile myabc.net.ext

Use the signed Certificate in Nginx:

listen 443;
ssl_certificate /etc/certs/myabc.net.crt;
ssl_certificate_key /etc/certs/myabc.net.key;

Access Nginx with https in Chrome

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment