Skip to content

Self-Signed Certificates

This example assumes using Red Hat Enterprise Linux 8 as the server operating system. The following script will generate a local CA certificate and generate a new server key and certificate, signed by the local CA certificate.

Certificate Generation

Create a script cert-gen.sh with the following content:

#!/bin/bash
# PARAMETERS
CA_CN="ca.local"
CA_KEYPASSWORD="changeme"
CA_DAYS=3650
CA_COUNTRY="UK"
CA_STATE="South Yorks"
CA_LOCATION="Doncaster"
CA_ORG="Local CA"
CA_UNIT="CA dept"
CA_EMAIL="noreply@ca.local"

CERT_CN="www.exampleforyou.net"
CERT_ALT_NAME="*.exampleforyou.net"
CERT_KEYPASSWORD="changeme"
CERT_DAYS=3650
CERT_COUNTRY="UK"
CERT_STATE="South Yorks"
CERT_LOCATION="Doncaster"
CERT_ORG="Exampleforyou"
CERT_UNIT="Developers"
CERT_EMAIL="noreply@exampleforyou.net"

# Create ext file
/bin/cat > "$CERT_CN.ext" <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[dn]
C=$CERT_COUNTRY
ST=$CERT_STATE
L=$CERT_LOCATION
O=$CERT_ORG
OU=$CERT_UNIT
CN=$CERT_CN

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1=$CERT_CN
DNS.2=$CERT_ALT_NAME
EOF

# CA Cert
# Create private key for local CA
/usr/bin/openssl genrsa -des3 -out local-ca.key -passout pass:"$CA_KEYPASSWORD" 2048

# Create root certificate
/usr/bin/openssl req -x509 -new -nodes -key local-ca.key -sha256 -days "$CA_DAYS" -passin pass:"$CA_KEYPASSWORD" -subj "/C=$CA_COUNTRY/ST=$CA_STATE/L=$CA_LOCATION/O=$CA_ORG/OU=$CA_UNIT/CN=$CA_CN/emailAddress=$CA_EMAIL" -out local-ca.crt

# Certificate
# Create private key for host
/usr/bin/openssl genrsa -des3 -out "$CERT_CN.key" -passout pass:"$CERT_KEYPASSWORD" 2048

# Generate Certificate Signing Request
/usr/bin/openssl req -new -key "$CERT_CN.key" -out "$CERT_CN.csr" -passin pass:"$CERT_KEYPASSWORD" -days $CERT_DAYS -subj "/C=$CERT_COUNTRY/ST=$CERT_STATE/L=$CERT_LOCATION/O=$CERT_ORG/OU=$CERT_UNIT/CN=$CERT_CN/emailAddress=$CERT_EMAIL"

# Remove the password from the private key
/usr/bin/cp "$CERT_CN.key" "$CERT_CN.key.original"
/usr/bin/openssl rsa -in "$CERT_CN.key.original" -out "$CERT_CN.key" -passin pass:"$CERT_KEYPASSWORD"

# Create Certificate
openssl x509 -req -in "$CERT_CN.csr" -CA local-ca.crt -CAkey local-ca.key -CAcreateserial -passin pass:"$CA_KEYPASSWORD" -out "$CERT_CN.crt" -days "$CERT_DAYS" -sha256 -extfile "$CERT_CN.ext"

Make the script executable:

chmod +x cert-gen.sh

And run:

./cert-gen.sh

Tip

You can import the generated local-ca.crt certificate into any browsers "Certificate Authorities", found under settings.

Install CA certificate

Red Hat Enterprise Linux

On Red Hat Enterprise Linux 8, you can then import and trust the local CA certificate:

cp local-ca.crt /usr/share/pki/ca-trust-source/anchors/

update-ca-trust

Ubuntu

sudo apt-get install -y ca-certificates

Notice the file extension, Ubuntu does not pick up .crt files:

sudo cp local-ca.crt /usr/local/share/ca-certificates/local-ca.crt

sudo update-ca-certificates

Local DNS

Add your domain to /etc/hosts for local testing and simulation of real DNS resolution:

vi /etc/hosts

127.0.0.1   localhost www.exampleforyou.net