Could anyone suggest a modern way of generating self-signed certificates to be implemented on localhost, which would be accepted by Chrome and Mozilla?
I tried the openssl generation, however Mozilla complains that the issuer is untrusted.
Centos 7, nginx
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Warning: Before you dive into the minefield of running your own Certification Authority, you may need to study the security implications!
But if you must, read on for a quick and dirty CA that will give you https://localhost/ without a warning message…
Create the following text file:
# OpenSSL configuration for Root CA [ req ] prompt = no string_mask = default # The size of the keys in bits: default_bits = 2048 distinguished_name = req_distinguished_name x509_extensions = x509_ext [ req_distinguished_name ] # Note that the following are in 'reverse order' to what you'd expect to see. countryName = gb organizationName = Test commonName = Test Root CA [ x509_ext ] basicConstraints=critical,CA:true,pathlen:0 keyUsage=critical,keyCertSign,cRLSign
Save as root.cnf then generate the request with:
$ openssl req -x509 -new -keyout root.key -out root.cer -config root.cnf
This will create your Root CA certificate (root.cer) and your Root CA private key (root.key) which you must keep private. It will prompt for a password for the private key – ensure you choose a strong one.
Now create a config file for the server certificate:
# OpenSSL configuration for end-entity cert [ req ] prompt = no string_mask = default # The size of the keys in bits: default_bits = 2048 distinguished_name = req_distinguished_name x509_extensions = x509_ext [ req_distinguished_name ] # Note that the following are in 'reverse order' to what you'd expect to see. countryName = gb organizationName = Test commonName = localhost [ x509_ext ] keyUsage=critical,digitalSignature,keyAgreement subjectAltName = @alt_names # Multiple Alternate Names are possible [alt_names] DNS.1 = localhost # DNS.2 = altName.example.com
Save it as server.cnf and generate the request with:
openssl req -nodes -new -keyout server.key -out server.csr -config server.cnf
The above will generate another private key (server.key) which you must protect. In this case, the key is not password protected, but you may add a password by removing the -nodes option.
Finally, sign the request with your new Root CA and extensions from the server.cnf file (for convenience):
$ openssl x509 -req -in server.csr -CA root.cer -CAkey root.key -set_serial 123 -out server.cer -extfile server.cnf -extensions x509_ext
Note: pick any random number for the -set_serial option.
It will ask for the password you entered when you generated the Root CA.
A server certificate (server.cer) will be generated.
Now, add the Root CA certificate (root.cer) to Firefox’s trust-anchor store so that the browser trusts your new CA.
Run a test by using OpenSSL as a temporary web-server with:
$ sudo openssl s_server -key server.key -cert server.cer -accept 443 -www
Note: You may get errors if you already have a sever running on port 443. In which case, either stop the running server or change the port number above to another unused port by changing the ending to (for example) -accept 8443 -www
When you naviate to https://localhost (or https://localhost:8443 if you changed the port number above) with Firefox, you should now see no warning and be presented with a list of ciphers your installation of OpenSSL can offer.
Once you’re happy with the results, add the server.key and server.cer to your original webserver and configure accordingly.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0