Updates self-signed certificates for more recent browsers.

2025-10-31 08:55:36 -04:00 · 2018-01-04 06:30:55 +00:00 · 2018-01-04 06:30:55 +00:00 · 38d66155c8
commit 38d66155c8
parent b961002595
1 changed files with 70 additions and 8 deletions
--- a/examples/secure-terminals.txt
+++ b/examples/secure-terminals.txt
@ -17,15 +17,77 @@ D.   <Directory /var/www/html>

 SSL (do not settle for anything less)

-Under Debian:
-A.  openssl req -new -x509 -nodes -out ssl-cert-snakeoil.pem -days 36500 -keyout ssl-cert-snakeoil.key (100 year certificate)
-B.  cp ssl-cert-snakeoil.key /etc/ssl/private/
-    cp ssl-cert-snakeoil.pem /etc/ssl/certs/
-C.  a2enmod ssl;
+- SELF-SIGNED
+Under Debian (updated for Chrome 58 or greater):
+
+I.
+openssl genrsa -out rootCA.key 2048
+openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 36500 -out rootCA.pem
+
+create this file - v3.ext:
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = %%DOMAIN%%
+
+Run this script in same directory as v3.ext file:
+if [ -z "$1" ]
+then
+  echo "Please supply a domain to create a certificate for";
+  echo "e.g. mysite.com"
+  exit;
+fi
+
+# Create a new private key if one doesnt exist, or use the existing one if it does
+if [ -f device.key ]; then
+  KEY_OPT="-key"
+else
+  KEY_OPT="-keyout"
+fi
+
+DOMAIN=$1
+COMMON_NAME=${2:-*.$1}
+SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=$COMMON_NAME"
+NUM_OF_DAYS=36500
+openssl req -new -newkey rsa:2048 -sha256 -nodes $KEY_OPT device.key -subj "$SUBJECT" -out device.csr
+cat v3.ext | sed s/%%DOMAIN%%/$COMMON_NAME/g > /tmp/__v3.ext
+openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext 
+
+# move output files to final filenames
+mv device.csr $DOMAIN.csr
+cp device.crt $DOMAIN.crt
+
+# remove temp file
+rm -f device.crt;
+
+echo 
+echo "###########################################################################"
+echo Done! 
+echo "###########################################################################"
+echo "To use these files on your server, simply copy both $DOMAIN.csr and"
+echo "device.key to your webserver, and use like so (if Apache, for example)"
+echo 
+echo "    SSLCertificateFile    /path_to_your_files/$DOMAIN.crt"
+echo "    SSLCertificateKeyFile /path_to_your_files/device.key"
+
+
+II.  cp device.key /etc/ssl/private/ssl-cert-snakeoil.key
+     cp mysite.com.csr /etc/ssl/certs/ssl-cert-snakeoil.pem
+
+III. a2enmod ssl;
     a2ensite default-ssl.conf; (standard on debian-based distributions .. add <Directory> stanza above)
     a2dissite 000-default.conf;

- An alternative would be to use letsencrypt.  If you are using a reverse proxy, usually nginx-proxy,
+In the Chromium broswer: chrome://settings/certificates
+  Choose IMPORT in AUTHORITIES
+  Upload the public certificate you created, e.g. rootCA.key
+  check "Trust this certificate for identifying websites"
+    
+- LETSENCRYPT
+ A preferable alternative would be to use letsencrypt.  If you are using a reverse proxy, usually nginx-proxy,
 make certain that HTTP_X_FORWARDED_FOR is used for identifying the originating IP address, 
 because YBDB shops keep track of their unique ip.