How to become a local TLS certificate authority - Revision history

Discorddigital at 16:59, 13 February 2022

2022-02-13T16:59:43Z

← Older revision		Revision as of 16:59, 13 February 2022
Line 57:		Line 57:
	This is a restriction Apple specifically made for their devices on self-signed certificates.		This is a restriction Apple specifically made for their devices on self-signed certificates.
	\|}		\|}
	<p>After entering the password your CA you will have following files:</p>		<p>After entering the password of your CA you will have following files:</p>
	*/opt/DigitalWeb/digitalweb.domain.lan.crt		*/opt/DigitalWeb/digitalweb.domain.lan.crt
	*/opt/DigitalWeb/digitalweb.domain.lan.ext		*/opt/DigitalWeb/digitalweb.domain.lan.ext

Discorddigital: Reverted edits by Discorddigital (talk) to last revision by Pixl

2021-02-28T11:27:51Z

Reverted edits by Discorddigital (talk) to last revision by Pixl

← Older revision		Revision as of 11:27, 28 February 2021
Line 23:		Line 23:
	<h3>Generating the root certificate file</h3>		<h3>Generating the root certificate file</h3>
	<code>openssl req -x509 -new -nodes -key DigitalCA.key -sha256 -days 1825 -out DigitalCA.pem</code>		<code>openssl req -x509 -new -nodes -key DigitalCA.key -sha256 -days 1825 -out DigitalCA.pem</code>
			{\| style="border:1px solid black"
	~~<!-- Info for Apple users:~~ If you create this CA for Apple devices. Do not exceed 825 days, otherwise the certificate will be invalid.		\| If you create this CA for Apple devices. Do not exceed 825 days, otherwise the certificate will be invalid.
			This is a restriction Apple specifically made for their devices on self-signed certificates.
	This is a restriction Apple specifically made for their devices on self-signed certificates. ~~-->~~		\|}
	<p>During the creation you will be asked to enter the password you entered earlier.</p>		<p>During the creation you will be asked to enter the password you entered earlier.</p>
	<p>When asked for the Common Name I suggest you enter something you will recognize, such as DigitalCA in this case.</p>		<p>When asked for the Common Name I suggest you enter something you will recognize, such as DigitalCA in this case.</p>
Line 53:		Line 53:
	<p>Save the file and create the certificate with following command:</p>		<p>Save the file and create the certificate with following command:</p>
	<code>openssl x509 -req -in digitalweb.domain.lan.csr -CA /opt/CA/DigitalCA.pem -CAkey /opt/CA/DigitalCA.key -CAcreateserial -out digitalweb.domain.lan.crt -days 825 -sha256 -extfile digitalweb.domain.lan.ext</code>		<code>openssl x509 -req -in digitalweb.domain.lan.csr -CA /opt/CA/DigitalCA.pem -CAkey /opt/CA/DigitalCA.key -CAcreateserial -out digitalweb.domain.lan.crt -days 825 -sha256 -extfile digitalweb.domain.lan.ext</code>
	~~<p><!-- Info for Apple users~~: If you create this certificate for Apple devices. Do not exceed 825 days, otherwise the certificate will be invalid.		{\| style="border:1px solid black"
			\| If you create this certificate for Apple devices. Do not exceed 825 days, otherwise the certificate will be invalid.
	This is a restriction Apple specifically made for their devices on self-signed certificates. ~~--></p>~~		This is a restriction Apple specifically made for their devices on self-signed certificates.
			\|}
	<p>After entering the password your CA you will have following files:</p>		<p>After entering the password your CA you will have following files:</p>
	*/opt/DigitalWeb/digitalweb.domain.lan.crt		*/opt/DigitalWeb/digitalweb.domain.lan.crt

Discorddigital at 11:27, 28 February 2021

2021-02-28T11:27:32Z

← Older revision		Revision as of 11:27, 28 February 2021
Line 23:		Line 23:
	<h3>Generating the root certificate file</h3>		<h3>Generating the root certificate file</h3>
	<code>openssl req -x509 -new -nodes -key DigitalCA.key -sha256 -days 1825 -out DigitalCA.pem</code>		<code>openssl req -x509 -new -nodes -key DigitalCA.key -sha256 -days 1825 -out DigitalCA.pem</code>
	~~{\| style="border~~:~~1px solid black"~~
	\| If you create this CA for Apple devices. Do not exceed 825 days, otherwise the certificate will be invalid.		<!-- Info for Apple users: If you create this CA for Apple devices. Do not exceed 825 days, otherwise the certificate will be invalid.
	This is a restriction Apple specifically made for their devices on self-signed certificates.
	\|}		This is a restriction Apple specifically made for their devices on self-signed certificates. -->
	<p>During the creation you will be asked to enter the password you entered earlier.</p>		<p>During the creation you will be asked to enter the password you entered earlier.</p>
	<p>When asked for the Common Name I suggest you enter something you will recognize, such as DigitalCA in this case.</p>		<p>When asked for the Common Name I suggest you enter something you will recognize, such as DigitalCA in this case.</p>
Line 53:		Line 53:
	<p>Save the file and create the certificate with following command:</p>		<p>Save the file and create the certificate with following command:</p>
	<code>openssl x509 -req -in digitalweb.domain.lan.csr -CA /opt/CA/DigitalCA.pem -CAkey /opt/CA/DigitalCA.key -CAcreateserial -out digitalweb.domain.lan.crt -days 825 -sha256 -extfile digitalweb.domain.lan.ext</code>		<code>openssl x509 -req -in digitalweb.domain.lan.csr -CA /opt/CA/DigitalCA.pem -CAkey /opt/CA/DigitalCA.key -CAcreateserial -out digitalweb.domain.lan.crt -days 825 -sha256 -extfile digitalweb.domain.lan.ext</code>
	~~{\| style="border~~:~~1px solid black"~~		<p><!-- Info for Apple users: If you create this certificate for Apple devices. Do not exceed 825 days, otherwise the certificate will be invalid.
	\| If you create this certificate for Apple devices. Do not exceed 825 days, otherwise the certificate will be invalid.
	This is a restriction Apple specifically made for their devices on self-signed certificates.		This is a restriction Apple specifically made for their devices on self-signed certificates. --></p>
	\|}
	<p>After entering the password your CA you will have following files:</p>		<p>After entering the password your CA you will have following files:</p>
	*/opt/DigitalWeb/digitalweb.domain.lan.crt		*/opt/DigitalWeb/digitalweb.domain.lan.crt

Pixl: Added Let's Encrypt link

2021-02-27T20:00:41Z

Added Let's Encrypt link

← Older revision		Revision as of 20:00, 27 February 2021
Line 2:		Line 2:
	<p>This guide will show you how to create your own local certificate authority and how to create and sign certificates with it.</p>		<p>This guide will show you how to create your own local certificate authority and how to create and sign certificates with it.</p>
	<p>You can use this for local web development, or for anything that requires a self-signed certificate.</p>		<p>You can use this for local web development, or for anything that requires a self-signed certificate.</p>
	<p>For external websites that are available through the internet I recommend using Let’s Encrypt which is free.</p>		<p>For external websites that are available through the internet I recommend using [https://letsencrypt.org/ Let’s Encrypt] which is free.</p>
	<h2>Prerequisites</h2>		<h2>Prerequisites</h2>
	<p>Before you can start you need to fulfill following conditions to make this guide work:</p>		<p>Before you can start you need to fulfill following conditions to make this guide work:</p>

Discorddigital at 18:35, 27 February 2021

2021-02-27T18:35:28Z

← Older revision		Revision as of 18:35, 27 February 2021
Line 79:		Line 79:
	Then we search on top of the page for: "enterprise_root", we can set the option to <b>True</b> by double clicking it.</p>		Then we search on top of the page for: "enterprise_root", we can set the option to <b>True</b> by double clicking it.</p>
	<p>Firefox will now check against any certificate authorities you imported on your operating system.</p>		<p>Firefox will now check against any certificate authorities you imported on your operating system.</p>
			[[Category:cryptography]]
			[[Category:certificates]]
			[[Category:Web development]]

Discorddigital: Created page with "

Prologue

This guide will show you how to create your own local certificate authority and how to create and sign certificates with it.

You can use this for l..."

2021-02-27T18:28:07Z

Created page with "<h2>Prologue</h2> <p>This guide will show you how to create your own local certificate authority and how to create and sign certificates with it.</p> <p>You can use this for l..."

New page

<h2>Prologue</h2>
<p>This guide will show you how to create your own local certificate authority and how to create and sign certificates with it.</p>
<p>You can use this for local web development, or for anything that requires a self-signed certificate.</p>
<p>For external websites that are available through the internet I recommend using Let’s Encrypt which is free.</p>
<h2>Prerequisites</h2>
<p>Before you can start you need to fulfill following conditions to make this guide work:</p>
#Have a Linux system with openssl installed.
#Be administrator or have root privileges on the systems you want to install the certificate on.
#Know basic linux commands and have a rough understanding of how CA certificates work.

<h2>Creating the certificate authority</h2>
<h3>Generating the CA key file</h3>
<p>At this point we need to give our certificate authority a name.<br>
I decided to name it "DigitalCA".</p>
<p>We create a folder to put our CA files in:</p>
<code>sudo mkdir -p /opt/CA/</code>
<p>Change the directory to the newly created folder:</p>
<code>cd /opt/CA/</code>
<p>Then we create our certificate key file:</p>
<code>openssl genrsa -des3 -out DigitalCA.key 2048</code>
<p>You will be prompted to enter a password. <br>
Do not skip this step, the password will be used everytime you sign a certificate.</p>
<h3>Generating the root certificate file</h3>
<code>openssl req -x509 -new -nodes -key DigitalCA.key -sha256 -days 1825 -out DigitalCA.pem</code>
{| style="border:1px solid black"
| If you create this CA for Apple devices. Do not exceed 825 days, otherwise the certificate will be invalid.
This is a restriction Apple specifically made for their devices on self-signed certificates.
|}
<p>During the creation you will be asked to enter the password you entered earlier.</p>
<p>When asked for the Common Name I suggest you enter something you will recognize, such as DigitalCA in this case.</p>
<p>At this point you're done, make sure to remember the password and backup these files safely.</p>
<h2>Creating a certificate for a local website</h2>
<p>First we define a folder to put our files in. <br>
In this case I chose "/opt/DigitalWeb", as the DNS name will be digitalweb.domain.lan</p>
<code>sudo mkdir -p /opt/DigitalWeb</code>
Then we navigate into our folder.</p>
<code>cd /opt/DigitalWeb</code>
<p>We create the key file for our DigitalWeb website:</p>
<code>openssl genrsa -out digitalweb.domain.lan.key 2048</code>
<p>Next we create the CSR file which we need later to sign it with our CA.</p>
<code>openssl req -new -key digitalweb.domain.lan.key -out digitalweb.domain.lan.csr</code>
<p>You will be asked a lot of questions. Make sure when it asks for Common Name to enter the server FQDN. In this case: digitalweb.domain.lan</p>
<p>We create a new file named: digitalweb.domain.lan.ext</p>
<p>Paste in following text and adjust it to your needs.<br>
You can add more DNS names at the bottom.</p>
<pre>authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = digitalweb.domain.lan</pre>
<p>Save the file and create the certificate with following command:</p>
<code>openssl x509 -req -in digitalweb.domain.lan.csr -CA /opt/CA/DigitalCA.pem -CAkey /opt/CA/DigitalCA.key -CAcreateserial -out digitalweb.domain.lan.crt -days 825 -sha256 -extfile digitalweb.domain.lan.ext</code>
{| style="border:1px solid black"
| If you create this certificate for Apple devices. Do not exceed 825 days, otherwise the certificate will be invalid.
This is a restriction Apple specifically made for their devices on self-signed certificates.
|}
<p>After entering the password your CA you will have following files:</p>
*/opt/DigitalWeb/digitalweb.domain.lan.crt
*/opt/DigitalWeb/digitalweb.domain.lan.ext
*/opt/DigitalWeb/digitalweb.domain.lan.csr
*/opt/DigitalWeb/digitalweb.domain.lan.key
<p>Using the crt and key file you can now use it within any webserver and run the page with that certificate.</p>
<p>Keep in mind, for that certificate to be valid, the device needs to have the CA installed.</br>
In the next step we will import our certificate to a Windows computer, this works on phones, tablets and also on linux.</p>
<h2>Importing the CA certificate on Windows</h2>
<p>We open our settings for "computer certificates", we can do that by searching it on Windows.</p>
<p>Then we right click "Trusted Root Certification Authorities" and go to "All Tasks" and "Import".</p>
<p>The window you're looking for looks like this:</p>
[[File:Windows_computer_certificate_import.png]]
<p>In this case we import the file <b>DigitalCA.pem</b></p>
<p>After it has been imported, it will work out of the box on all browsers except Firefox.</p>
<p>For Firefox follow the next step in this guide.</p>
<h3>Configuring Firefox to allow certificate authorities from the computer</h3>
<p>In the URL bar of Firefox we type in:</p>
<code>about:config</code>
<p>We will be prompted with a security warning, we confirm it with "Accept the risk and continue".<br>
Then we search on top of the page for: "enterprise_root", we can set the option to <b>True</b> by double clicking it.</p>
<p>Firefox will now check against any certificate authorities you imported on your operating system.</p>