Steps to create Self-Signed SSLs
Now that we have created our CA private and public key files, we are now going to create another pair of public and private key files and sign them using our CA files. Follow the steps below:
Generating Self-Signed SSLs:
We now need to create the private key file of our SSL certificate. To do this, enter the following:
openssl genrsa -out cert-key.pem 4096
This will output a file called
cert-key.pem, which is the private key file of our SSL certificate.
We now create what is known as a Certificate Signing Request File, so that we can generate a public key file for the SSL certificate that has been signed by the CA files. To do this enter the following command:
"/CN-yourcn", enter any name you fancy, for example
FirstNameInitialLastnameInitial Certificate Authority
openssl req -new -sha256 -subj "/CN=yourcn" -key cert-key.pem -out cert.csr
We now need to create a file that contains the domains / IP address we want to create the SSL Certificate for:
echo "subjectAltName=DNS:kvis.network,DNS:*.kvis.network,IP:192.168.3.250" >> extfile.cnf
You can enter as many DNS entries as you want. The
*.kvis.network is a wildcard domain so
anything.kvis.network will work. If you want
something.anything.kvis.network to be authenticated with this SSL, you need add an entry like so:
"DNS:*.anything.kvis.network . I would recommend creating wildcard SSLs, so you wouldn't have to create a new SSL everytime you want create a SSL for a service
This is the step where you create the public key file of the SSL certificate:
openssl x509 -req -sha256 -days 365 -in cert.csr -CA ca.pem -CAkey ca-key.pem -out cert.pem -extfile extfile.cnf -CAcreateserial
You will be prompted to enter a passphrase. Enter the passphrase you used to secure your CA private key file.
This will output a file called
cert.pem which is the public key file of this certificate and has also been signed by your CA.
You are not done just yet. A few more cleaning up commands and your certificate will be ready.
For the SSL cert public key file, we need to create what is known as a chain file, which is quite simply the
ca.pem file joiend together with the
cert.pem file. To do this enter the following command:
cat cert.pem > fullchain.pem
Now enter this command:
cat ca.pem >> fullchain.pem
With that you have successfully created a SSL certificate that has been signed by your own CA!
To organise everything I recommend creating a directory for each domain you create a certficate for. Let's say i created a certificate for
*.kvis.network, I would create a directory for that by running
Next we need move the required files into that directory. Do this by running the following line by line:
mv fullchain.pem ./wildcard.kvis.network/fullchain.pem
mv cert-key.pem ./wildcard.kvis.network/fullchain.pem
mv extfile.cnf ./wildcard.kvis.network/extfile.cnf
##the only reason i copied the extfile.cnf file is because i
## can see which domains this ssl certificate is for
We can now remove some unnecessary files by running this command:
rm cert.csr cert.pem
Once that is done you are done!, you can create SSLs by following the previous steps again and again and organise the files in a neat fashion. To upload the SSLs, onto your WebUIs, simply search on google how to add the SSL certificate for a given piece of software.
In Proxmox for example, you can navigate to networks and certificates, and add your custom certificates there. The private key is contents of the
cert-key.pem file and anything along the lines of "chain" or "fullchain" or "Intermediary Certificate" will require the
fullchain.pem to be uploaded.
Proceed to next page to see how to add your custom Certificate Authority to the "Trusted Root Certificate Store" of your device