Steps to create Self-Signed SSLs
Now that we have created our CA private and public key files, we are now going to create another pair of public and private key files and sign them using our CA files. Follow the steps below:
Generating Self-Signed SSLs:
We now need to create the private key file of our SSL certificate. To do this, enter the following:
openssl genrsa -out cert-key.pem 4096
This will output a file called cert-key.pem
, which is the private key file of our SSL certificate.
We now create what is known as a Certificate Signing Request File, so that we can generate a public key file for the SSL certificate that has been signed by the CA files. To do this enter the following command:
In "/CN-yourcn"
, enter any name you fancy, for example FirstNameInitialLastnameInitial Certificate Authority
openssl req -new -sha256 -subj "/CN=yourcn" -key cert-key.pem -out cert.csr
We now need to create a file that contains the domains / IP address we want to create the SSL Certificate for:
echo "subjectAltName=DNS:kvis.network,DNS:*.kvis.network,IP:192.168.3.250" >> extfile.cnf
You can enter as many DNS entries as you want. The *.kvis.network
is a wildcard domain so anything.kvis.network
will work. If you want something.anything.kvis.network
to be authenticated with this SSL, you need add an entry like so: "DNS:*.anything.kvis.network
. I would recommend creating wildcard SSLs, so you wouldn't have to create a new SSL everytime you want create a SSL for a service
This is the step where you create the public key file of the SSL certificate:
openssl x509 -req -sha256 -days 365 -in cert.csr -CA ca.pem -CAkey ca-key.pem -out cert.pem -extfile extfile.cnf -CAcreateserial
You will be prompted to enter a passphrase. Enter the passphrase you used to secure your CA private key file.
This will output a file called cert.pem
which is the public key file of this certificate and has also been signed by your CA.
You are not done just yet. A few more cleaning up commands and your certificate will be ready.
For the SSL cert public key file, we need to create what is known as a chain file, which is quite simply the ca.pem
file joiend together with the cert.pem
file. To do this enter the following command:
cat cert.pem > fullchain.pem
Now enter this command:
cat ca.pem >> fullchain.pem
With that you have successfully created a SSL certificate that has been signed by your own CA!
To organise everything I recommend creating a directory for each domain you create a certficate for. Let's say i created a certificate for *.kvis.network
, I would create a directory for that by running mkdir wildcard.kvis.network
.
Next we need move the required files into that directory. Do this by running the following line by line:
mv fullchain.pem ./wildcard.kvis.network/fullchain.pem
mv cert-key.pem ./wildcard.kvis.network/fullchain.pem
mv extfile.cnf ./wildcard.kvis.network/extfile.cnf
##the only reason i copied the extfile.cnf file is because i
## can see which domains this ssl certificate is for
We can now remove some unnecessary files by running this command:
rm cert.csr cert.pem
Once that is done you are done!, you can create SSLs by following the previous steps again and again and organise the files in a neat fashion. To upload the SSLs, onto your WebUIs, simply search on google how to add the SSL certificate for a given piece of software.
In Proxmox for example, you can navigate to networks and certificates, and add your custom certificates there. The private key is contents of the cert-key.pem
file and anything along the lines of "chain" or "fullchain" or "Intermediary Certificate" will require the fullchain.pem
to be uploaded.
Proceed to next page to see how to add your custom Certificate Authority to the "Trusted Root Certificate Store" of your device