Skip to content

Instantly share code, notes, and snippets.

@StanGenchev

StanGenchev/https_local_domain_centos_linux.md

Last active September 30, 2020 09:45
Show Gist options
  • Save StanGenchev/153a7249a7822b55d33891d0264ed253 to your computer and use it in GitHub Desktop.
Save StanGenchev/153a7249a7822b55d33891d0264ed253 to your computer and use it in GitHub Desktop.
Download ZIP
Generate a CA and domain certificate and add them to trusted in CentOS Linux, Red Hat Linux and Fedora.
Raw
https_local_domain_centos_linux.md

Certificate authority (CA)

Do not use self-signed certificates in production !

Generate RootCA.pem, RootCA.key & RootCA.crt:

openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=<country>/CN=<name>-Root-CA"
openssl x509 -outform pem -in RootCA.pem -out RootCA.crt

Note: You have to replace <country> with your country code ("US" for example) and <name> with your organization name.

Domain name certificate

Let's say you have a domain example.lan that is hosted on your local machine for development.

First, create a file domains.ext and add your domain:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.lan

You can add more domains by appending more DNS records to the end of this file like so:

DNS.2 = second.lan
DNS.3 = third.lan

Generate example.lan.key, example.lan.csr, and example.lan.crt:

openssl req -new -nodes -newkey rsa:2048 -keyout example.lan.key -out example.lan.csr -subj "/C=<country>/ST=<state>/L=<city>/O=<name>-Certificates/CN=example.lan"
openssl x509 -req -sha256 -days 1024 -in example.lan.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out example.lan.crt

Note: Replace the <country>, <state>, <city>, <name> with the appropriate values.

Copy your example.lan.crt and example.lan.key files to a safe location and give them the proper access rights:

sudo chmod 644 /opt/certs/example.lan.crt
sudo chmod 644 /opt/certs/example.lan.key

You can now configure your webserver.

Apache (you should be using Nginx):

SSLEngine on
SSLCertificateFile "/opt/certs/example.lan.crt"
SSLCertificateKeyFile "/opt/certs/example.lan.key"

Nginx:

listen 443 ssl;
ssl_certificate /opt/certs/example.lan.crt;
ssl_certificate_key /opt/certs/example.lan.key;

Trust the local CA

At this point, the site would load with a warning about self-signed certificates. In order to get a green lock, your new local CA has to be added to the trusted Root Certificate Authorities.

Chrome, wget, curl, etc

Copy your example.lan.crt file to the anchors directory:

sudo cp example.lan.crt /etc/pki/ca-trust/source/anchors/

Update the trusted CAs:

sudo update-ca-trust

Firefox

There are two things you need to do.

First go to about:config and set security.enterprise_roots.enabled to true.

Then import the certificate by going to about:preferences#privacy > Certificates > Import > RootCA.pem > Confirm for websites.

Usually, the first step should be enough but sometimes Firefox complains, so add the certificate just in case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment