How to become a local TLS certificate authority

2021-02-27T20:00:41Z

Pixl: Added Let's Encrypt link

<h2>Prologue</h2>
<p>This guide will show you how to create your own local certificate authority and how to create and sign certificates with it.</p>
<p>You can use this for local web development, or for anything that requires a self-signed certificate.</p>
<p>For external websites that are available through the internet I recommend using [https://letsencrypt.org/ Let’s Encrypt] which is free.</p>
<h2>Prerequisites</h2>
<p>Before you can start you need to fulfill following conditions to make this guide work:</p>
#Have a Linux system with openssl installed.
#Be administrator or have root privileges on the systems you want to install the certificate on.
#Know basic linux commands and have a rough understanding of how CA certificates work.

<h2>Creating the certificate authority</h2>
<h3>Generating the CA key file</h3>
<p>At this point we need to give our certificate authority a name.<br>
I decided to name it "DigitalCA".</p>
<p>We create a folder to put our CA files in:</p>
<code>sudo mkdir -p /opt/CA/</code>
<p>Change the directory to the newly created folder:</p>
<code>cd /opt/CA/</code>
<p>Then we create our certificate key file:</p>
<code>openssl genrsa -des3 -out DigitalCA.key 2048</code>
<p>You will be prompted to enter a password. <br>
Do not skip this step, the password will be used everytime you sign a certificate.</p>
<h3>Generating the root certificate file</h3>
<code>openssl req -x509 -new -nodes -key DigitalCA.key -sha256 -days 1825 -out DigitalCA.pem</code>
{| style="border:1px solid black"
| If you create this CA for Apple devices. Do not exceed 825 days, otherwise the certificate will be invalid.
This is a restriction Apple specifically made for their devices on self-signed certificates.
|}
<p>During the creation you will be asked to enter the password you entered earlier.</p>
<p>When asked for the Common Name I suggest you enter something you will recognize, such as DigitalCA in this case.</p>
<p>At this point you're done, make sure to remember the password and backup these files safely.</p>
<h2>Creating a certificate for a local website</h2>
<p>First we define a folder to put our files in. <br>
In this case I chose "/opt/DigitalWeb", as the DNS name will be digitalweb.domain.lan</p>
<code>sudo mkdir -p /opt/DigitalWeb</code>
Then we navigate into our folder.</p>
<code>cd /opt/DigitalWeb</code>
<p>We create the key file for our DigitalWeb website:</p>
<code>openssl genrsa -out digitalweb.domain.lan.key 2048</code>
<p>Next we create the CSR file which we need later to sign it with our CA.</p>
<code>openssl req -new -key digitalweb.domain.lan.key -out digitalweb.domain.lan.csr</code>
<p>You will be asked a lot of questions. Make sure when it asks for Common Name to enter the server FQDN. In this case: digitalweb.domain.lan</p>
<p>We create a new file named: digitalweb.domain.lan.ext</p>
<p>Paste in following text and adjust it to your needs.<br>
You can add more DNS names at the bottom.</p>
<pre>authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = digitalweb.domain.lan</pre>
<p>Save the file and create the certificate with following command:</p>
<code>openssl x509 -req -in digitalweb.domain.lan.csr -CA /opt/CA/DigitalCA.pem -CAkey /opt/CA/DigitalCA.key -CAcreateserial -out digitalweb.domain.lan.crt -days 825 -sha256 -extfile digitalweb.domain.lan.ext</code>
{| style="border:1px solid black"
| If you create this certificate for Apple devices. Do not exceed 825 days, otherwise the certificate will be invalid.
This is a restriction Apple specifically made for their devices on self-signed certificates.
|}
<p>After entering the password your CA you will have following files:</p>
*/opt/DigitalWeb/digitalweb.domain.lan.crt
*/opt/DigitalWeb/digitalweb.domain.lan.ext
*/opt/DigitalWeb/digitalweb.domain.lan.csr
*/opt/DigitalWeb/digitalweb.domain.lan.key
<p>Using the crt and key file you can now use it within any webserver and run the page with that certificate.</p>
<p>Keep in mind, for that certificate to be valid, the device needs to have the CA installed.</br>
In the next step we will import our certificate to a Windows computer, this works on phones, tablets and also on linux.</p>
<h2>Importing the CA certificate on Windows</h2>
<p>We open our settings for "computer certificates", we can do that by searching it on Windows.</p>
<p>Then we right click "Trusted Root Certification Authorities" and go to "All Tasks" and "Import".</p>
<p>The window you're looking for looks like this:</p>
[[File:Windows_computer_certificate_import.png]]
<p>In this case we import the file <b>DigitalCA.pem</b></p>
<p>After it has been imported, it will work out of the box on all browsers except Firefox.</p>
<p>For Firefox follow the next step in this guide.</p>
<h3>Configuring Firefox to allow certificate authorities from the computer</h3>
<p>In the URL bar of Firefox we type in:</p>
<code>about:config</code>
<p>We will be prompted with a security warning, we confirm it with "Accept the risk and continue".<br>
Then we search on top of the page for: "enterprise_root", we can set the option to <b>True</b> by double clicking it.</p>
<p>Firefox will now check against any certificate authorities you imported on your operating system.</p>
[[Category:cryptography]]
[[Category:certificates]]
[[Category:Web development]]

DiscordDigital Wiki - User contributions [en]

How to become a local TLS certificate authority