Warning Do NOT, never, ever do that to a production system!
Promised? OK! Here's the use case: you want to test your systems that have made up addresses like
awesomeserver.local and don't want to deal with certificate warnings or fancy errors that arise when you just use a self signed cert. This post is a self-reference for my convenience. There are ample other instructions out there.
The process requires a series of steps:
- Create the private key and root certificate
- Create an intermediate key and certificate
- Create certs for your servers
- Convert them if necessary (e.g. for import in Java Keystors JKS)
- Make the public key of the root and intermediate certs available
- Import these certs in all browsers and runtimes that you will use for testing
Normal mortal users, without these imports will get scary error messages. While this doesn't deter the determined, it's good for a laugh.
We don't want old school certs, so we aim at a modern Elliptic-curve cert (Details here). Here we go:
mkdir -pv -m 600 /root/ca/intermediate cd /root/ca curl https://jamielinux.com/docs/openssl-certificate-authority/_downloads/root-config.txt -o openssl.cnf curl https://jamielinux.com/docs/openssl-certificate-authority/_downloads/intermediate-config.txt -o intermediate/openssl.cnf mkdir certs crl newcerts private chmod 700 private touch index.txt echo 1000 > serial cd intermediate mkdir certs crl csr newcerts private chmod 700 private touch index.txt echo 1000 > serial echo 1000 > crlnumber cd ..
You want to check the downloaded files and eventually change the path in case you have chosen to us a different one.
export OPENSSL_CONF=./openssl.cnf openssl ecparam -genkey -name prime256v1 -outform PEM | openssl ec -aes256 -out private/ca.key.pem chmod 400 private/ca.key.pem openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -SHA384 -extensions v3_ca -out certs/ca.cert.pem
Keep them save - remember: its on my harddrive only isn't save!!!
You want to check the file using
openssl x509 -noout -text -in certs/ca.cert.pem or on macOS just hit the space key in finder.