Thanks to minica it is very easy to create trusted SSL certificates that have a very long expiration date.
In order to get started you have to have the go tools installed and set up correctly in your environment.
Once that is done you should adapt gen_certs.sh
to fit your needs. There should be an entry for each domain you want to create a certificate for and the subdomains must be specified as the certificate is not a wildcard one.
The rm -rf domain.com
line is here, because minica
doesn't overwrite existing certificates.
For example, if your development server needs to listen to https://some.domain.cool the entry for it should be
rm -rf domain.cool
minica --domains domain.cool,some.domain.cool
After that you can simply run gen_certs.sh
and the certificates will be generated.
Upon run there will be a new folder containing a cert.pem
and a key.pem
file. Those can be added in the configuration of the webserver.
# the cert files and key location
SSLCertificateFile /etc/apache2/certs/domain.cool/cert.pem
SSLCertificateKeyFile /etc/apache2/certs/domain.cool/key.pem
Change the paths to match the ones specified.
Restaring the webeserver will still show you that the certificates are invalid. That's because the root authority has not yet been trusted.
In the root folder, right next to gen_certs.sh
file you will find two new files: minica.pem
(the certificate) and minica-key.pem
(the key). These files contain the Certificate and key to add minica as a Trusted Root Certification Authority on your local machine. Those will need to be added to your local keystore.
The steps on Windows are pretty easily achieved (props to childno.de):
- start
mmc.exe
as Admin File
>Add/Remove Snap-in...
- Look for the
Certifactes
Snap-in andAdd >
it - Choose
Computer Account
when prompted and hit finish - Mark the
Trusted Root Certification Authoritiy
entry in the tree and right click it. In the context menu chooseAll Tasks
>Import...
- Navigate to the folder where
minica.pem
is located. Don't worry about the file extension, just choose to display all files. - Select
minica.pem
, chooseOpen
and leave the following options as is. - Look for an entry starting
minica root ca
in the list. - Restart your browsers.
Your certificates are now trusted.
On Mac it is not much work see here
- open
Keychain Access
File
>import items...
- Select minica.pem
- Right click on
minica root ca
chooseget info
- Open
Trust
and selectAlways Trust
onWhen using this certificate
- Restart your browsers.
Your certificates are now trusted.
Also have a look here:
System
Install the root certifcate on your system
sudo cp minica.pem /usr/local/share/ca-certificates/minica.crt
sudo chmod 644 /usr/local/share/ca-certificates/minica.crt
sudo update-ca-certificates
Verify your system utilities like curl
or wget
recognize the certificate:
curl https://local.vn.at -v 2>&1 | grep -i 'minica root'
Browser (Firefox, Chromium,...)
Linux doesn't have a Trustore unlike Mac.
Instead of adding the certificate manually for each application lazy developers use a script.
First install the certutil
tool.
sudo apt install libnss3-tools
This scripts finds trust store databases and imports the new root certificate into them.
#!/bin/sh
### Script installs minica.pem to certificate trust store of applications using NSS
### (e.g. Firefox, Thunderbird, Chromium)
### Mozilla uses cert8, Chromium and Chrome use cert9
###
### Requirement: apt install libnss3-tools
###
###
### CA file to install (customize!)
### Retrieve Certname: openssl x509 -noout -subject -in minica.pem
###
certfile="minica.pem"
certname="minica root ca"
###
### For cert8 (legacy - DBM)
###
for certDB in $(find ~/ -name "cert8.db")
do
certdir=$(dirname ${certDB});
certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d dbm:${certdir}
done
###
### For cert9 (SQL)
###
for certDB in $(find ~/ -name "cert9.db")
do
certdir=$(dirname ${certDB});
certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:${certdir}
done
Restart your browsers.
Your certificates are now trusted.