r0lodex/localssl.md

## localssl.md

      
    Raw
  

              localssl.md
            
          
    Automatic

Updated 24-05-2020
NAME=$1

mkdir $NAME
cd $NAME

# Generate private key
openssl genrsa -des3 -out myCA.key 2048

# Generate root certificate
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem

# Generate a private key
openssl genrsa -out $NAME.key 2048

# Create a certificate-signing request
openssl req -new -key $NAME.key -out $NAME.csr

# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
DNS.2 = bar.$NAME # Optionally, add additional domains (I've added a subdomain here)
EOF

# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out $NAME.crt -days 825 -sha256 -extfile $NAME.ext

For Laradock users, it's best to do this in nginx/ssl directory
Save the file somewhere e.g ssl.sh and run bash ssl.sh <your.local.domain.com>
Locally trust the certificate by importing <your.local.domain.com>.pem into Keychain Access and enable Always Trust on that certificate.

Using Chrome, hit a page on your server via HTTPS and continue past the red warning page (assuming you haven't done this already).
Open up Chrome Settings > Show advanced settings > HTTPS/SSL > Manage Certificates
Click the Authorities tab and scroll down to find your certificate under the Organization Name that you gave to the certificate.


Manual

The guide below is about setting up SSL for local development, 8 steps in 5 minutes.
We'll be using openssl to configure this, as we would on a production server.

Generate rootCA.key using openssl

openssl genrsa -des3 -out rootCA.key 2048


Generate rootCA.pem, you can specify any number of days at -days before the key expires

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem


Locally trust the certificate by importing rootCA.pem into Keychain Access and enable Always Trust on that certificate.


Create new file with these settings, name it server.csr.cnf. This is to use this for importing in the later command. Fill the information as you filled previously

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=MY
ST=RandomState
L=RandomCity
O=RandomOrganization
OU=RandomOrganizationUnit
emailAddress=hello@example.com
CN = localhost


Create a new file v3.ext (X509 v3 certificate). Note the @alt_names, it's the domain we register to trust.

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost


Use the command below to generate the file server.key

openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf )


Run the command below to generate the file server.crt

openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext


Bring server.key and server.crt to your nginx configuration.

listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;


Restart the nginx server
No results found