Skip to main content

Steps to create Self-Signed SSLs

Now that we have created our CA private and public key files, we are now going to create another pair of public and private key files and sign them using our CA files. Follow the steps below:

Generating Self-Signed SSLs:

We now need to create the private key file of our SSL certificate. To do this, enter the following:

openssl genrsa -out cert-key.pem 4096

This will output a file called cert-key.pem, which is the private key file of our SSL certificate.

We now create what is known as a Certificate Signing Request File, so that we can generate a public key file for the SSL certificate that has been signed by the CA files. To do this enter the following command:

In "/CN-yourcn", enter any name you fancy, for example FirstNameInitialLastnameInitial Certificate Authority

openssl req -new -sha256 -subj "/CN=yourcn" -key cert-key.pem -out cert.csr

We now need to create a file that contains the domains / IP address we want to create the SSL Certificate for:

echo "subjectAltName=DNS:kvis.network,DNS:*.kvis.network,IP:192.168.3.250" >> extfile.cnf

You can enter as many DNS entries as you want. The .kvis.network is a wildcard domain so anything.kvis.network will work. If you want something.anything.kvis.network to be authenticated with this SSL, you need add an entry like so: "DNS:*.anything.kvis.network . I would recommend creating wildcard SSLs, so you wouldn't have to create a new SSL everytime you want create a SSL for a service

This is the step where you create the public key file of the SSL certificate:

openssl x509 -req -sha256 -days 365 -in cert.csr -CA ca.pem -CAkey ca-key.pem -out cert.pem -extfile extfile.cnf -CAcreateserial

You will be prompted to enter a passphrase. Enter the passphrase you used to secure your CA private key file.

This will output a file called cert.pem which is the public key file of this certificate and has also been signed by your CA.

You are not done just yet. A few more cleaning up commands and your certificate will be ready.

For the SSL cert public key file, we need to create what is known as a chain file, which is quite simply the ca.pem file joiend together with the cert.pem file. To do this enter the following command:

cat cert.pem > fullchain.pem

Now enter this command:

cat ca.pem >> fullchain.pem

With that you have successfully created a SSL certificate that has been signed by your own CA!

To organise everything I recommend creating a directory for each domain you create a certficate for. Let's say i created a certificate for *.kvis.network, I would create a directory for that by running mkdir wildcard.kvis.network.

Next we need move the required files into that directory. Do this by running the following line by line:

mv fullchain.pem ./wildcard.kvis.network/fullchain.pem
mv cert-key.pem ./wildcard.kvis.network/fullchain.pem
mv extfile.cnf ./wildcard.kvis.network/extfile.cnf 
##the only reason i copied the extfile.cnf file is because i 
## can see which domains this ssl certificate is for

We can now remove some unnecessary files by running the following again:

rm cert.csr cert.pem

Once that is done you are done!, you can create SSLs by following the previous steps again and again and organise the files in a neat fashion. To upload the SSLs, onto your WebUIs, simply search on google how to add the SSL certificate for a given piece of software.

In Proxmox for example, you can navigate to networks and certificates, and add your custom certificates there. The private key is contents of the cert-key.pem file and anything along the lines of "chain" or "fullchain" or "Intermediary Certificate" will require the fullchain.pem to be uploaded.

Proceed to next page to see how to add your custom Certificate Authority to the "Trusted Root Certificate Store" of your device