Skip to main content

How to create Your Own Self-Signed Certificates

You know how there are services like Let's Encrypt offering SSL Certificates Cheat-Sheet

that

X.509work on the WAN and the World Wide Web? Well we are going become our own Certificate Authority like let's encrypt, and we will sign our own ssl certificates with our custom CA (Certificate Authority) certificate.

This is an ITU standard defininghow the formatsystem works:

On almost every device, certificates of public"trusted keyRoot certificates.Certificate X.509Authorities" are usedstored, inso TLS/SSL,that whichwhen isyou visit a HTTPS website, and the basisSSL forit HTTPS. An X.509 certificate binds an identity to a public key using a digital signature. A certificate contains an identity (hostname, organization, etc.) and a public key (RSA, DSA, ECDSA, ed25519, etc.), andpresents is either signed by aone of these "Trusted Root Certificate Authority or is Self-Signed.

---

Self-Signed Certificates

Generate CA

  1. Generate RSA
openssl genrsa -aes256 -out ca-key.pem 4096
  1. Generate a public CA Cert
openssl req -new -x509 -sha256 -days 365 -key ca-key.pem -out ca.pem


Generate Certificate

  1. Create a RSA key
openssl genrsa -out cert-key.pem 4096
  1. Create a Certificate Signing Request (CSR)
openssl req -new -sha256 -subj "/CN=yourcn" -key cert-key.pem -out cert.csr
  1. Create a extfile with allAuthorities", the alternativedevice/ names
    2. browser
will 
echoautomatically "subjectAltName=DNS:your-dns.record,IP:257.10.10.1"trust >>it extfile.cnf
and 
# optional
echo extendedKeyUsage = serverAuth >> extfile.cnf
  1. Createdisplay the certificate
    2. lock 
openssl x509 -req -sha256 -days 365 -in cert.csr -CA ca.pem -CAkey ca-key.pem -out cert.pem -extfile extfile.cnf -CAcreateserial


Certificate Formats

X.509 Certificates exist in Base64 Formats PEM (.pem, .crt, .ca-bundle), PKCS#7 (.p7b, p7s) and Binary Formats DER (.der, .cer), PKCS#12 (.pfx, p12).symbol.

Convert Certs
COMMANDCONVERSION
openssl x509 -outform der -in cert.pem -out cert.derPEM to DER
openssl x509 -inform der -in cert.der -out cert.pemDER to PEM
openssl pkcs12 -in cert.pfx -out cert.pem -nodesPFX to PEM


Verify Certificates

openssl verify -CAfile ca.pem -verbose cert.pem

Install the CA Cert as a trusted root CA

On Debian & Derivatives
  • Move the CA certificate (ca.pem) into /usr/local/share/ca-certificates/ca.crt.
  • Update the Cert Store with:
sudo update-ca-certificates

Refer the documentation here and here.

On Fedora
  • Move the CA certificate (ca.pem) to /etc/pki/ca-trust/source/anchors/ca.pem or /usr/share/pki/ca-trust-source/anchors/ca.pem
  • Now run (with sudo if necessary):
update-ca-trust

Refer the documentation here.

On Arch

System-wide – Arch(p11-kit) (From arch wiki)

  • Run (As root)
trust anchor --store myCA.crt
  • The certificate will be written to /etc/ca-certificates/trust-source/myCA.p11-kit and the "legacy" directories automatically updated.
  • If you get "no configured writable location" or a similar error, import the CA manually:
  • Copy the certificate to the /etc/ca-certificates/trust-source/anchors directory.
  • and then
update-ca-trust

wiki page here

On Windows

Assuming the path to your generated CA certificate as C:\ca.pem, run:

Import-Certificate -FilePath "C:\ca.pem" -CertStoreLocation Cert:\LocalMachine\Root
  • Set -CertStoreLocation to Cert:\CurrentUser\Root in case you want to trustsee these "Trusted Root Certificate Authorities" for yourself, follow the steps below:

    On windows:

    Press on the start button, and search certificates onlyand you should see an app called "Manage Computer Certificates"

    Click on that, and on the left menu, you should see "Trusted Root Certificate Authorities".

    Click on that and you should see a massive dropdown with names of many different companies and familiar ones such as Microsoft, Amazon, Google etc., This means that any website that presents SSLs, signed by any of these Root CAs, will be instantly trusted.

    To create our own SSL certs for local domains, we need to first create a Certificate Authority file, which will then sign our generated SSLs, I will explain the process as we go ahead.

    Prerequisites:
    • You need to know how to setup your own local, recursive DNS server and create local DNS records that point to certain IP addresses (Something like Pi-hole is perfect for this)
    • You need to have a linux machine
    How we will implement this on our local LAN:
    • Using our local DNS resolver like Pi-Hole, we will create custom domains (something like kvis.network) to point to an IP address running a particular services
    • We will create a Certificate Authority File and add it to the "Trusted Root Certificate Authority" store of the devices you will be using to visit these custom domains**
    • We will generate SSL certs that are signed by our CA file
    • You can either upload this SSL directly into service like Proxmox's Web UI, or you can use a reverse proxy like NGINX Proxy Manager to configure SSLs, just like you would for the logged in user.WAN.

    ORProceed to next step, to see steps on how to create SSLs

    In Command Prompt, run:

    certutil.exe -addstore root C:\ca.pem
    • certutil.exe is a built-in tool (classic System32 one) and adds a system-wide trust anchor.
    On Android

    The exact steps vary device-to-device, but here is a generalised guide:

    1. Open Phone Settings
    2. Locate Encryption and Credentials section. It is generally found under Settings > Security > Encryption and Credentials
    3. Choose Install a certificate
    4. Choose CA Certificate
    5. Locate the certificate file ca.pem on your SD Card/Internal Storage using the file manager.
    6. Select to load it.
    7. Done!

    Links:

    Useful Vid

Back to top