wtorek, 17 maja 2022

self-signed certificate take 2

Generate self-signed certificate (with basic constraints extension CA:TRUE):
openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 \
  -keyout /etc/nginx/tls/wyga-ca.key \
  -out /etc/nginx/tls/wyga-ca.pem \
  -subj '/CN=WYGA-CA/'
Add CA as trusted to you browser (works with Chrome).

Regenerate certificate with SNI names:
openssl req -x509 -nodes -sha256 -days 3650 \
  -key /etc/nginx/tls/wyga-ca.key \
  -out /etc/nginx/tls/wyga-ca.pem \
  -subj '/CN=WYGA-CA/' \
  -addext "subjectAltName = DNS:test.nginx.wyga.cf, DNS:test1.nginx.wyga.cf, DNS: test2.nginx.wyga.cf"
Firefox is more secure in that matter. This will not work with that browser ;)
d="change-me"
{
openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 \
  -keyout "${d}.key" \
  -out "${d}.pem" \
  -subj '/CN=WYGA-CA/'
}

Brak komentarzy: