Do not use self-signed certificates in production !
Generate RootCA.pem
, RootCA.key
& RootCA.crt
:
openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=<country>/CN=<name>-Root-CA"
openssl x509 -outform pem -in RootCA.pem -out RootCA.crt
Note: You have to replace <country>
with your country code ("US" for example) and <name>
with your organization name.
Let's say you have a domain example.lan
that is hosted on your local machine for development.
First, create a file domains.ext
and add your domain:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.lan
You can add more domains by appending more DNS
records to the end of this file like so:
DNS.2 = second.lan
DNS.3 = third.lan
Generate example.lan.key
, example.lan.csr
, and example.lan.crt
:
openssl req -new -nodes -newkey rsa:2048 -keyout example.lan.key -out example.lan.csr -subj "/C=<country>/ST=<state>/L=<city>/O=<name>-Certificates/CN=example.lan"
openssl x509 -req -sha256 -days 1024 -in example.lan.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out example.lan.crt
Note: Replace the <country>
, <state>
, <city>
, <name>
with the appropriate values.
Copy your example.lan.crt
and example.lan.key
files to a safe location and give them the proper access rights:
sudo chmod 644 /opt/certs/example.lan.crt
sudo chmod 644 /opt/certs/example.lan.key
You can now configure your webserver.
Apache (you should be using Nginx):
SSLEngine on
SSLCertificateFile "/opt/certs/example.lan.crt"
SSLCertificateKeyFile "/opt/certs/example.lan.key"
Nginx:
listen 443 ssl;
ssl_certificate /opt/certs/example.lan.crt;
ssl_certificate_key /opt/certs/example.lan.key;
At this point, the site would load with a warning about self-signed certificates. In order to get a green lock, your new local CA has to be added to the trusted Root Certificate Authorities.
Copy your example.lan.crt
file to the anchors directory:
sudo cp example.lan.crt /etc/pki/ca-trust/source/anchors/
Update the trusted CAs:
sudo update-ca-trust
There are two things you need to do.
First go to about:config
and set security.enterprise_roots.enabled
to true
.
Then import the certificate by going to about:preferences#privacy
> Certificates
> Import
> RootCA.pem
> Confirm for websites
.
Usually, the first step should be enough but sometimes Firefox complains, so add the certificate just in case.