|
|
|
@ -17,15 +17,77 @@ D. <Directory /var/www/html> |
|
|
|
|
|
|
|
SSL (do not settle for anything less) |
|
|
|
|
|
|
|
Under Debian: |
|
|
|
A. openssl req -new -x509 -nodes -out ssl-cert-snakeoil.pem -days 36500 -keyout ssl-cert-snakeoil.key (100 year certificate) |
|
|
|
B. cp ssl-cert-snakeoil.key /etc/ssl/private/ |
|
|
|
cp ssl-cert-snakeoil.pem /etc/ssl/certs/ |
|
|
|
C. a2enmod ssl; |
|
|
|
a2ensite default-ssl.conf; (standard on debian-based distributions .. add <Directory> stanza above) |
|
|
|
a2dissite 000-default.conf; |
|
|
|
- SELF-SIGNED |
|
|
|
Under Debian (updated for Chrome 58 or greater): |
|
|
|
|
|
|
|
I. |
|
|
|
openssl genrsa -out rootCA.key 2048 |
|
|
|
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 36500 -out rootCA.pem |
|
|
|
|
|
|
|
create this file - v3.ext: |
|
|
|
authorityKeyIdentifier=keyid,issuer |
|
|
|
basicConstraints=CA:FALSE |
|
|
|
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment |
|
|
|
subjectAltName = @alt_names |
|
|
|
|
|
|
|
[alt_names] |
|
|
|
DNS.1 = %%DOMAIN%% |
|
|
|
|
|
|
|
Run this script in same directory as v3.ext file: |
|
|
|
if [ -z "$1" ] |
|
|
|
then |
|
|
|
echo "Please supply a domain to create a certificate for"; |
|
|
|
echo "e.g. mysite.com" |
|
|
|
exit; |
|
|
|
fi |
|
|
|
|
|
|
|
# Create a new private key if one doesnt exist, or use the existing one if it does |
|
|
|
if [ -f device.key ]; then |
|
|
|
KEY_OPT="-key" |
|
|
|
else |
|
|
|
KEY_OPT="-keyout" |
|
|
|
fi |
|
|
|
|
|
|
|
DOMAIN=$1 |
|
|
|
COMMON_NAME=${2:-*.$1} |
|
|
|
SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=$COMMON_NAME" |
|
|
|
NUM_OF_DAYS=36500 |
|
|
|
openssl req -new -newkey rsa:2048 -sha256 -nodes $KEY_OPT device.key -subj "$SUBJECT" -out device.csr |
|
|
|
cat v3.ext | sed s/%%DOMAIN%%/$COMMON_NAME/g > /tmp/__v3.ext |
|
|
|
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext |
|
|
|
|
|
|
|
# move output files to final filenames |
|
|
|
mv device.csr $DOMAIN.csr |
|
|
|
cp device.crt $DOMAIN.crt |
|
|
|
|
|
|
|
# remove temp file |
|
|
|
rm -f device.crt; |
|
|
|
|
|
|
|
echo |
|
|
|
echo "###########################################################################" |
|
|
|
echo Done! |
|
|
|
echo "###########################################################################" |
|
|
|
echo "To use these files on your server, simply copy both $DOMAIN.csr and" |
|
|
|
echo "device.key to your webserver, and use like so (if Apache, for example)" |
|
|
|
echo |
|
|
|
echo " SSLCertificateFile /path_to_your_files/$DOMAIN.crt" |
|
|
|
echo " SSLCertificateKeyFile /path_to_your_files/device.key" |
|
|
|
|
|
|
|
|
|
|
|
II. cp device.key /etc/ssl/private/ssl-cert-snakeoil.key |
|
|
|
cp mysite.com.csr /etc/ssl/certs/ssl-cert-snakeoil.pem |
|
|
|
|
|
|
|
III. a2enmod ssl; |
|
|
|
a2ensite default-ssl.conf; (standard on debian-based distributions .. add <Directory> stanza above) |
|
|
|
a2dissite 000-default.conf; |
|
|
|
|
|
|
|
In the Chromium broswer: chrome://settings/certificates |
|
|
|
Choose IMPORT in AUTHORITIES |
|
|
|
Upload the public certificate you created, e.g. rootCA.key |
|
|
|
check "Trust this certificate for identifying websites" |
|
|
|
|
|
|
|
An alternative would be to use letsencrypt. If you are using a reverse proxy, usually nginx-proxy, |
|
|
|
- LETSENCRYPT |
|
|
|
A preferable alternative would be to use letsencrypt. If you are using a reverse proxy, usually nginx-proxy, |
|
|
|
make certain that HTTP_X_FORWARDED_FOR is used for identifying the originating IP address, |
|
|
|
because YBDB shops keep track of their unique ip. |
|
|
|
|
|
|
|
|
Jonathan Rosenbaum
6 years ago