Creating your own CA for Signing Dev Certs
Here are some handy commands to create a CA and sign your own cert for development.
The commands are fully scriptable: all key passwords have been bypassed with the -nodes flag, and the interactive openssl prompts not necessary with in the the -subj flag.
tldr; Short version for the Impatient:
# Create Certificate of Authority
SUBJ="/C=US/ST=CA/L=San Diego/O=Lance Rushing/OU=Development/CN=Dev Certificate of Authority"
openssl req -subj "$SUBJ" -nodes -new -x509 -extensions v3_ca -keyout devCA.key -out devCA.crt -days 365
# Create Key and CSR
HOST="appname.local"
SUBJ="/C=US/ST=CA/L=San Diego/O=Lance Rushing/OU=Dev Web Sites/CN=$HOST"
openssl req -subj "$SUBJ" -newkey rsa:2048 -nodes -keyout $HOST.key -out $HOST.csr -days 365
# Create the Cert by signing the CSR with our CA
openssl x509 -req -CA devCA.crt -CAkey devCA.key -CAcreateserial -in $HOST.csr -out $HOST.crt
Add the appname.key and appname.crt to your apache/nginx/IIS config, and add the devCA.crt to your browser.
Long Version.
When developing webservices that will be using SSL in production, I like to use SSL in development.
The old way
The traditional way to do this is create a self-signed cert. Where you sign your Certificate Signing Request (CSR) with the same key that created it. (Thus "self-signed".)
HOST="appname.local"
SUBJ="/C=US/ST=CA/L=San Diego/O=Lance Rushing/OU=Dev/CN=$HOST"
openssl req -subj "$SUBJ" -x509 -newkey rsa:2048 -nodes -keyout $FILENAME.key -out $FILENAME.crt -days 3650 ## look mom! One line.
Then add it to the apache.conf
<VirtualHost 172.16.1.1:443>
ServerName appname.local:443
DocumentRoot "/Users/lance/Sites/AppName/src/webroot"
SSLEngine on
SSLCertificateFile "/Users/lance/Sites/AppName/certs/appname.local.crt"
SSLCertificateKeyFile "/Users/lance/Sites/AppName/certs/appname.local.key"
</VirtualHost>
This works great, but now with every new ssl cert I generate I have to add a trust exception in my browser.
A better way
To avoid multiple trust exceptions of you self-signed certs, is to first generate a "Certificate of Authority" (CA), add that CA to your browser, and then sign all of your certs with that CA.
# Create CA
SUBJ="/C=US/ST=CA/L=San Diego/O=Lance Rushing/OU=Development/CN=Dev Certificate of Authority"
openssl req -subj "$SUBJ" -new -x509 -nodes -extensions v3_ca -keyout devCA.key -out devCA.crt -days 3650
# Create Key and CSR (same as above)
HOST="appname.local"
SUBJ="/C=US/ST=CA/L=San Diego/O=Lance Rushing/OU=Dev Web Sites/CN=$HOST"
openssl req -subj "$SUBJ" -newkey rsa:2048 -nodes -keyout $HOST.key -out $HOST.csr -days 365
# Create the Cert by signing the CSR with our CA
openssl x509 -req -CA devCA.crt -CAkey devCA.key -CAcreateserial -in $HOST.csr -out $HOST.crt
# cleanup CSR
rm $HOST.csr
Thoughts
These commands are the shortest way I've found to create keys, CSRs, and signing. Other guides often use three steps (1 genrsa, 2 key export w/o pass, 3 req ) to generate the CSR, whereas it is possible to do it with 1 step.
Hint: By using the -subj flag we can bypass openssl's interactive prompts
Hint: I use Virtual IPs for each https web service I need:
OsX: $ ifconfig lo0 alias 172.16.1.1
Linux: $ ifconfig lo:0 172.16.1.1
windows: http://support.microsoft.com/kb/236869
http://gagravarr.org/writing/openssl-certs/ca.shtml
http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
1 comment:
Of all of the casinos in South Korea, citizens could only enter considered one of them. Customer Support – Because of the effectivity of gambling sites at present, support is never needed. The leading manufacturers offer assist through telephone, e mail 먹튀사이트 먹튀프렌즈 and stay chat, with members of staff being out there 24/7. Support wants to|must also} be offered in a friendly manner, with no irritating ready occasions. Repercussions for these caught gambling on-line are rare, meaning that many still achieve this. Offshore casinos aren't technically unlawful, with this loophole having offered millions with an outlet.
Post a Comment