Becoming your own local certificate authority (and issue your first certificate)

An article, posted about 6 years ago filed in security, chrome, Firefox, Safari, certificate & how i do it.

It has been quite some time ago, but here is another ‘how i do it’ article :)

If, by ‘accident’ you have, like me, chosen for your local development as a convention, and you want to continue using this convention; you will need to become your own CA. There is no other way around it. I tried searching disabling HSTS for, certificate for, but to no avail. Being your own CA, however, makes you HSTS proof (note that you can’t typically override an already set HSTS certificate, that is by design). However, in the old days you could simply mark your own self-signed certificate as trusted for your own domains. This is becoming less of an option these days. Becoming your own CA, however, still is an option.

Warning: The chain of trust

You should trust yourself not share your rootCA’s key and cert with anyone else: since you’ll be adding your own rootCA as a root CA of your browser you can only trust your SSL connection when you’re sure no-one else than the site’s owner has been able to generate a certificate for certain website. You could cause your own MITM to look trustworthy: every rootCA can be used to make another site look legit.

1. Become an authority

Make sure you do this in a only user readable directory (you’ll protect it with a passphrase as well, but as another level of

openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

This is, by design, a self signed key, that will need to be added to your browser’s or system’s trusted certificate list.

Great, you’re a CA now (for your own machine :) )!

2. Create a certificate signing request

First create a private key for your project / server:

sudo openssl genrsa -out projectname.key 2048

Now, create a Certificate Signing Request (you should never ever copy private keys)

openssl req -new -key projectname.key -out projectname.csr

3. Sign it

This step is typically completed by a third party, but hey, we’re our own CA now :):

openssl x509 -req -in projectname.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out projectname.crt -days 500 -sha256

Set up your nginx / apache correctly and go, continue hacking!

Op de hoogte blijven?

Maandelijks maak ik een selectie artikelen en zorg ik voor wat extra context bij de meer technische stukken. Schrijf je hieronder in:

Mailfrequentie = 1x per maand. Je privacy wordt serieus genomen: de mailinglijst bestaat alleen op onze servers.