If it is about the self-signed-certificate you can create your own CA and use this to sign the webserver’s certificate.
For testing a self-signed-certificate might be fine, but to avoid corrersponding error-messages you need a certificate signed by a CA.
Here are some steps to create your own CA and a webserver-certificate including SAN (subject alternate name) which is mandatory since a few years.
create CA
first create a Certificate Authority. For this you have to crate a private key
openssl genrsa -aes256 -out ca-key.pem 4096
The key is named ca-key.pem
and has a length of 4096 bits. The key is passwort-protected (because of the -aes256
-option) and has to be kept secure as a bad guy can create/sign arbitrary certificates which are trusted by the clients.
Now that a secret key for the CA is available we need the root-certificate which has to be imported by the clients/browsers to trust the certificates issued/signed by this CA.
The root-certificate ca-root.pem
is created with the following command - you may need the password for the key created in the step above:
openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 1024 -out ca-root.pem -sha512
In this case the CA will be valid 1024 days. During creation you will be asked for some attributes for the CA - an example:
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Baden-Wuerttemberg
Locality Name (eg, city) []:Pforzheim
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example-Company
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:ca.example.com
Email Address []:admin@example.com
Now you can import the ca-root.pem
-file into your browser’s/computer’s truststore.
create a certificate for the webserver
As the CA is completed we can create our first certificate.
A private key is the base. Similar to the CA a private key is created:
openssl genrsa -out webserver-key.pem 4096
Adding a password is not practicable in most cases as webserver have to ask for the password at every startup.
Now we will create a CSR - some attributes will be asked. The field Common Name has to be filled with the hostname the clients will connect to (either an ip-address 192.168.2.2
or DNS-name www.example.com
). You can leave the challenge-password empty:
openssl req -new -key webserver-key.pem -out webserver.csr -sha512
If I remember correctly from earlier tests the FQDN of the CA’s certificate and the FQDN of the webserver’s certificate have to be different.
Create an extfile for the webserver’s certificate which contains at least one line for alt_names
(you can add multiple lines DNS.2 = ...
, DNS.3 = ...
, … to create a certificate valid for multiple hostnames) as newer browers don’t trust the subject-fields’s cn:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com
The webserver.csr
can now be processed by the CA. This will create the public key for the private.key. Both (the webserver-key.pem
and the webserver-pub.pem
) will be needed on the webserver for encryption.
The webserver-pub.pem
will be created using the following command and will be valid for 365 days:
openssl x509 -req -in webserver.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out webserver-pub.pem -days 365 -sha512 --extfile webserver.ext
The -CAcreateserial
is automatically skipped if a serial-file is present which will be used in this case.
The webserver-key.pem
and webserver-pub.pem
can now be used within your webserver’s configuration for encryption.
Your Browsers should trust your certificate and only give some minor hint that it is signed by a CA added manually and not trusted by default.
verify that your certificate is signed correctly
openssl verify -verbose -CAfile root-ca.pem webserver-pub.pem