Skip to content

Instantly share code, notes, and snippets.

@sayden

sayden/ca.md

Last active May 7, 2018 11:26
Show Gist options
  • Save sayden/6399fd44f5d2b8dfcba607f00c087c5b to your computer and use it in GitHub Desktop.
Save sayden/6399fd44f5d2b8dfcba607f00c087c5b to your computer and use it in GitHub Desktop.
Download ZIP
How to create self signed certificates that doesn't warn clients
Raw
ca.md

How to create self signed certificates that doesn't warn clients (by installing the PEM file)

Create the root certificate (done once)

Create the password protected root certificate key and self sign this certificate

openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Install PEM file into every client

This greatly depends on the client. Browsers has a specific places to install certificates. Some operating systems can also install one at OS level so you can use them outside of the browsers (for example).

Create a "Server" certificate now to sign with the Root certificate later

When issuing the second openssl command below, the common name must match the IP or FQDN that the client will use to access the server.

So if the server will be in localhost the common name must be localhost. If it's going to be on 127.0.0.1 so 127.0.0.1:

openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr

Sign the new certificate with the root CA (for 500 days in this case)

openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment