Obsah

1 Create Your Own SSL Certificate Authority for Local HTTPS Development
2 #Adding the Root Certificate to Linux
3 Creating CA-Signed Certificates for Your Dev Sites
4 Tak a aplikace na můj problém
- 4.1 skript_CA
- 4.2 skript_web
- 4.3 viz též

1 Create Your Own SSL Certificate Authority for Local HTTPS Development

https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

we’re ready to generate the private key to become a local CA:

openssl genrsa -des3 -out myCA.key 2048

Next, we generate a root certificate:

openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem

You should now have two files: myCA.key (your private key) and myCA.pem (your root certificate). Congratulations, you’re now a CA. Sort of.

Note: Important: if you want your CA certificate to work on Android properly, then add the following options when generating CA: openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem -reqexts v3_req -extensions v3_ca

2 #Adding the Root Certificate to Linux

# {{{ There are so many Linux distributions, but Ubuntu is by far the most popular and it’s what we used when we built SpinupWP. Therefore these instructions will cover Ubuntu.

If it isn’t already installed, install the ca-certificates package.

emerge -avq app-misc/ca-certificates

Copy the myCA.pem file to the /usr/local/share/ca-certificates directory as a myCA.crt file.

cp ~/certs/myCA.pem /usr/local/share/ca-certificates/myCA.crt

Update the certificate store.

update-ca-certificates

You can test that the certificate has been installed by running the following command:

awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep Hellfish # grep -i gilhad or whatever we used
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < myCA.pem # to see it without installation

# }}}

3 Creating CA-Signed Certificates for Your Dev Sites

Now we’re a CA on all our devices and we can sign certificates for any new dev sites that need HTTPS. First, we create a private key for the dev site (hellfish.test / wiki.gilhad.cz). Note that we name the private key using the domain name URL of the dev site. This is not required, but it makes it easier to manage if you have multiple sites:

openssl genrsa -out hellfish.test.key 2048

Then we create a CSR:

openssl req -new -key hellfish.test.key -out hellfish.test.csr

You’ll get all the same questions as you did above and, again, your answers don’t matter. In fact, they matter even less because you won’t be looking at this certificate in a list next to others.

Finally, we’ll create an X509 V3 certificate extension config file, which is used to define the Subject Alternative Name (SAN) for the certificate. In our case, we’ll create a configuration file called hellfish.test.ext containing the following text:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = hellfish.test

We’ll be running openssl x509 because the x509 command allows us to edit certificate trust settings. In this case we’re using it to sign the certificate in conjunction with the config file, which allows us to set the Subject Alternative Name. I originally found this answer on Stack Overflow.

Now we run the command to create the certificate: using our CSR, the CA private key, the CA certificate, and the config file:

openssl x509 -req -in hellfish.test.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out hellfish.test.crt -days 825 -sha256 -extfile hellfish.test.ext

We now have three files: hellfish.test.key (the private key), hellfish.test.csr (the certificate signing request, or csr file), and hellfish.test.crt (the signed certificate). We can configure local web servers to use HTTPS with the private key and the signed certificate.

If you’re on Linux or Windows using Apache, you’ll need to enable the Apache SSL mod, and configure an Apache virtual host for port 443 for the local site. It will require you to add the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile directives, and point the last two to the certificate and key file you just created.

<VirtualHost *:443> #*
        ServerName hellfish.test
        DocumentRoot /var/www/hellfish-test

        SSLEngine on
        SSLCertificateFile /path/to/certs/hellfish.test.crt
        SSLCertificateKeyFile /path/to/certs/hellfish.test.key
</VirtualHost>

4 Tak a aplikace na můj problém

4.1 skript_CA

#!/bin/bash
# vim: fileencoding=utf-8:nowrap:textwidth=0:foldmethod=marker:foldcolumn=4:ruler:showcmd:lcs=tab\:|- list
echo '01' > serial
touch index.txt
mkdir -p priv
mkdir -p public
mkdir -p server
mkdir -p  certs
################################################################################
cat >openssl.cnf <<EOF
#
# OpenSSL configuration file.
#

# Establish working directory.
dir = .
ts = 1024 # Size of keys
default_bits    = 1024
default_keyfile = key.pem # name of generated keys
default_md = sha512 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
# Variable name   Prompt string
#----------------------   ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
subjectAltName = DNS:name,DNS:name,....

# Default values for the above, for consistency and less typing.
# Variable name   Value
#------------------------------   ------------------------------
0.organizationName_default = Gilhad
localityName_default = Praha
stateOrProvinceName_default = Praha
countryName_default = CZ
commonName_default= Gilhad
organizationalUnitName_default = osvc
emailAddress_default = gilhad@seznam.cz

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
[ ca ]
default_ca = CA_default

[ CA_default ]
serial = \$dir/serial
database = \$dir/index.txt
new_certs_dir = \$dir/certs
certificate = \$dir/public/gilhad.CAcert.pem
private_key = \$dir/priv/gilhad.CAkey.pem
default_days = 36500
default_md = sha512
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
# Extension copying option: use with caution.
copy_extensions = copy

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOF
################################################################################
openssl genrsa -out priv/gilhad.CAkey.pem 2048
openssl req -x509 -new -nodes -key priv/gilhad.CAkey.pem -days 36500 -out public/gilhad.CAcert.pem  -config ./openssl.cnf -batch

# openssl req -new -x509 -keyout priv/gilhad.CAkey.pem -out public/gilhad.CAcert.pem -days 36500 -config ./openssl.cnf -passout pass:heslo -batch

openssl x509 -in public/gilhad.CAcert.pem -noout -purpose
openssl x509 -in public/gilhad.CAcert.pem -noout -text
openssl x509 -in public/gilhad.CAcert.pem -noout -dates
cp  public/gilhad.CAcert.pem server
echo index.txt.old >>.gitignore
echo index.txt.attr.old >>.gitignore
echo serial.old >>.gitignore
#####################################
git add certs priv public server index.txt openssl.cnf serial .gitignore

4.2 skript_web

#!/bin/bash
# vim: fileencoding=utf-8:nowrap:textwidth=0:foldmethod=marker:foldcolumn=4:ruler:showcmd:lcs=tab\:|- list
if [ $# == "0" ] ; then
        echo "$0 name.for.cert web.name.cz alt.name.1 [alt.name.2 ...]"
        echo "  eg.: ./skript_web gilhad.cz *.gilhad.cz gilhad.cz *.gilhad.cz"
        exit
fi
save_as=$1
shift
web=$1
shift
alt_names=$1

if [ "${alt_names}" == "" ] ; then
        alt_names=${web}
fi
if [ "${alt_names}" == "" ] ; then
        alt_names=${save_as}
fi
if [ "${web}" == "" ] ; then
        web=${save_as}`date '+ %Y.%m.%d %H:%M:%S'`
fi

cat >v3_req.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
EOF

x=0
while true ; do

        echo "DNS.$((++x)) = $alt_names" >> v3_req.ext
        shift
        if [ $# == 0 ] ; then break; fi
        alt_names=$1

done

mkdir -p priv
mkdir -p public
mkdir -p server
mkdir -p  certs
################################################################################
cat >openssl.web.cnf <<EOF
#
# OpenSSL configuration file.
#

# Establish working directory.
dir = .
ts = 1024 # Size of keys
default_bits    = 1024
default_md = sha512 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[ req_distinguished_name ]
organizationName = Gilhad
localityName = Praha
stateOrProvinceName = Praha
countryName = CZ
commonName = ${web}
organizationalUnitName = osvc
emailAddress = gilhad@seznam.cz

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

[ ca ]
default_ca = CA_default

[ CA_default ]
serial = \$dir/serial
database = \$dir/index.txt
new_certs_dir = \$dir/certs
certificate = \$dir/public/gilhad.CAcert.pem
private_key = \$dir/priv/gilhad.CAkey.pem
default_days = 36500
default_md = sha512
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
# Extension copying option: use with caution.
#copy_extensions = copy

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
subjectAltName = optional
EOF
################################################################################

#1 private key
openssl genrsa -out priv/${save_as}.privkey.pem 2048

#2 Then we create a CSR:
openssl req -new -nodes -key priv/${save_as}.privkey.pem -out public/${save_as}.csr -config ./openssl.web.cnf

#openssl req -newkey rsa:4096 -nodes -out public/${save_as}.csr -keyout priv/${save_as}.privkey.pem  -config ./openssl.web.cnf <<EOF
#
#
#
#
#
#
#${web}
#${alt_names}
#EOF

#openssl req -in public/${save_as}.csr -text -verify -noout

#3  create the certificate

#yes|openssl ca -passin pass:heslo -in public/${save_as}.csr -out public/${save_as}.pem -config ./openssl.web.cnf
yes|openssl ca -passin pass:heslo -in public/${save_as}.csr -out public/${save_as}.pem -config ./openssl.web.cnf  -extfile v3_req.ext
# openssl x509 -req -in hellfish.test.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out hellfish.test.crt -days 825 -sha256 -extfile hellfish.test.ext


cp priv/${save_as}.privkey.pem public/${save_as}.pem server
openssl x509 -in server/${save_as}.pem  -noout -text
# rm openssl.web.cnf
#####################################
git add certs priv public server index.txt.attr index.txt serial

4.3 viz též

https://krakatoa.trialhosting.cz/openssl/https-na-web-serveru.php