It has been quite some time ago, but here is another ‘how i do it’ article :)
If, by ‘accident’ you have, like me, chosen projectname.dev for your local development as a convention, and you want to continue using this convention; you will need to become your own CA. There is no other way around it. I tried searching disabling HSTS for localhost.dev, certificate for localhost.dev, but to no avail. Being your own CA, however, makes you HSTS proof (note that you can’t typically override an already set HSTS certificate, that is by design). However, in the old days you could simply mark your own self-signed certificate as trusted for your own domains. This is becoming less of an option these days. Becoming your own CA, however, still is an option.
You should trust yourself not share your rootCA’s key and cert with anyone else: since you’ll be adding your own rootCA as a root CA of your browser you can only trust your SSL connection when you’re sure no-one else than the site’s owner has been able to generate a certificate for certain website. You could cause your own MITM to look trustworthy: every rootCA can be used to make another site look legit.
Make sure you do this in a only user readable directory (you’ll protect it with a passphrase as well, but as another level of
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
This is, by design, a self signed key, that will need to be added to your browser’s or system’s trusted certificate list.
Great, you’re a CA now (for your own machine :) )!
First create a private key for your project / server:
sudo openssl genrsa -out projectname.key 2048
Now, create a Certificate Signing Request (you should never ever copy private keys)
openssl req -new -key projectname.key -out projectname.csr
This step is typically completed by a third party, but hey, we’re our own CA now :):
openssl x509 -req -in projectname.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out projectname.crt -days 500 -sha256
Set up your nginx / apache correctly and go, continue hacking!
Enjoyed this? Follow me on Mastodon or add the RSS, euh ATOM feed to your feed reader.
Dit artikel van murblog van Maarten Brouwers (murb) is in licentie gegeven volgens een Creative Commons Naamsvermelding 3.0 Nederland licentie .