50 ‐ Self‐Sign SSL Certificate - CloudScope/DevOpsWithCloudScope GitHub Wiki
Ensure OpenSSL is installed on your system:
-
Ubuntu/Debian:
sudo apt install openssl
-
RHEL/CentOS:
sudo yum install openssl
-
macOS:
brew install openssl
openssl genrsa -out my-ca.key 2048
Ex: openssl genrsa -out yobytech-infra.com.ca.key 2048openssl req -x509 -new -nodes -key my-ca.key -sha256 -days 3650 -out my-ca.crt -subj "/C=US/ST=State/L=City/O=MyOrg/OU=MyUnit/CN=MyRootCA"
Ex: openssl req -new -x509 -key yobytech-infra.com.ca.key -out yobytech-infra.com.ca.crt -days 3650 -subj "/C=IN/ST=ODISHA/O=YOBYTECH/OU=IT/CN=yobytech-infra.com/[email protected]"If we didn't pass -sub in above command and used below command, then we need to pass sub manually like below.
$ openssl req -new -x509 -key yobytech-infra.com.ca.key -out yobytech-infra.com.ca.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:ODISHA
Locality Name (eg, city) []:BBSR
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YOBYTECH
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:yobytech-infra.com
Email Address []:[email protected]- The
my-ca.crtis your self-signed root certificate, valid for 10 years (-days 3650).
openssl genrsa -out my-server.key 2048openssl req -new -key my-server.key -out my-server.csr -subj "/C=US/ST=State/L=City/O=MyOrg/OU=MyUnit/CN=myserver.example.com"openssl req -new -newkey rsa:2048 -nodes -keyout grafana.yobytech.com.key -out grafana.yobytech.com.csr -days 3650 -subj "/C=IN/ST=ODISHA/O=YOBYTECH/OU=IT/CN=grafana.yobytech.com/[email protected]"- Replace
myserver.example.comwith your server’s hostname or domain name.
Sign the CSR using your CA to generate the server certificate:
openssl x509 -req -in my-server.csr -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -out my-server.crt -days 365 -sha256
Ex: openssl x509 -req -in grafana.yobytech.com.csr -CA yobytech-infra.com.ca.crt -CAkey yobytech-infra.com.ca.key -CAcreateserial -days 3650 -out grafana.yobytech.com.crt-
my-server.crtis the server certificate signed by your CA, valid for 1 year (-days 365). -
my-ca.srlis the CA's serial number file.
Check the certificate details:
openssl x509 -in my-server.crt -text -nooutVerify the certificate against the CA:
openssl verify -CAfile my-ca.crt my-server.crtCopy the files to a directory accessible by Nginx, e.g., /etc/nginx/ssl/:
sudo mkdir -p /etc/nginx/ssl/
sudo cp my-server.crt my-server.key my-ca.crt /etc/nginx/ssl/Edit your Nginx configuration file (e.g., /etc/nginx/sites-available/default or /etc/nginx/nginx.conf) and add the following block:
server {
listen 443 ssl;
server_name myserver.example.com;
ssl_certificate /etc/nginx/ssl/my-server.crt;
ssl_certificate_key /etc/nginx/ssl/my-server.key;
ssl_trusted_certificate /etc/nginx/ssl/my-ca.crt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root /var/www/html;
index index.html;
}
}-
Test the Nginx configuration:
sudo nginx -t
-
Reload Nginx:
sudo systemctl reload nginx
Open your browser and navigate to https://myserver.example.com. Since the certificate is self-signed, you may see a warning about the certificate not being trusted.
curl --cacert ca.crt https://domain_nameTo avoid browser warnings, add the my-ca.crt to your trusted certificate store:
-
Linux: Copy
my-ca.crtto/usr/local/share/ca-certificates/and update the CA store:sudo cp my-ca.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates
-
macOS: Use Keychain Access to import and trust the CA certificate.
-
Windows: Use the Certificate Manager to import and trust the CA certificate.
-
my-ca.key: Private key for the CA. -
my-ca.crt: Self-signed root CA certificate. -
my-server.key: Server private key. -
my-server.csr: Server certificate signing request. -
my-server.crt: Server SSL certificate signed by the CA.
Important
The issue occurs because the application or curl expects the full certificate chain to validate the server's SSL certificate. Here’s how to diagnose and resolve the issue:
-
Why the Server Certificate Works:
Passing the server certificate (--cacert my-server.crt) works because the certificate directly matches the server’s identity, bypassing intermediate validation. -
Why the Root Certificate Fails:
The root certificate alone cannot validate the server certificate unless the full chain (intermediate + root) is presented by the server or passed tocurl.
Check what the server is presenting:
openssl s_client -connect <server>:443 -showcerts- Look for the certificates displayed. Ideally, the server should present:
- The server certificate.
- The intermediate certificate(s).
- Optionally, the root certificate.
If the intermediate certificate is missing, the validation will fail unless explicitly provided by the client.
- Combine the intermediate and root certificates into a single file:
cat intermediateCA.crt rootCA.crt > chain.crt - Use this file as the
--cacert:curl --cacert chain.crt https://<server>
Ensure the server is configured to serve the full certificate chain, including the intermediate certificates. For example:
-
Nginx Configuration:
ssl_certificate /path/to/fullchain.crt; # Includes server + intermediate(s) ssl_certificate_key /path/to/my-server.key;
The
fullchain.crtshould contain:cat my-server.crt intermediateCA.crt > fullchain.crt -
Apache Configuration:
SSLCertificateFile /path/to/my-server.crt SSLCertificateChainFile /path/to/intermediateCA.crt SSLCertificateKeyFile /path/to/my-server.key
After updating the certificates or server configuration, verify with curl:
curl --cacert rootCA.crt https://<server>If the server is configured correctly, the root certificate should work without needing the intermediate certificates explicitly on the client side.
If issues persist:
-
Debug Certificate Validation: Use
curl -vfor verbose output:curl --cacert rootCA.crt -v https://<server>
-
Check the CA Path: If using
--capath, ensure the directory contains all necessary CA certificates, and they are hashed using:c_rehash /path/to/ca-directory
If your ca.pem (the certificate file for the root CA) isn't working as expected on Windows, there are several potential causes and steps you can take to troubleshoot the issue. Here's a breakdown of things you can try to resolve the problem:
- Ensure that the
ca.pemfile is a valid PEM-encoded certificate (you should see something like-----BEGIN CERTIFICATE-----at the beginning and-----END CERTIFICATE-----at the end). - If you're unsure whether the certificate is correct, you can check it using OpenSSL on a Linux or macOS machine:
openssl x509 -in ca.pem -text -noout
- If the certificate displays correctly, then it is valid.
For the certificate to work, you must ensure that it is properly added to the Windows trusted root certification authorities store. Here's how to do it:
-
Open the Microsoft Management Console (MMC):
- Press
Windows + R, then typemmcand press Enter.
- Press
-
Add the Certificates Snap-In:
- In the MMC window, click on
Filein the menu and then selectAdd/Remove Snap-in. - Select
Certificatesfrom the list and clickAdd. - Choose
Computer accountand thenLocal computer. ClickFinish, thenOK.
- In the MMC window, click on
-
Import the CA Certificate:
- In the MMC window, expand
Certificates (Local Computer), then right-click onTrusted Root Certification Authorities. - Select
All Tasks>Import. - Follow the import wizard to locate and select your
ca.pemfile and install it.
- In the MMC window, expand
-
Verify the Installation:
- Once installed, the certificate should be visible under
Trusted Root Certification Authorities > Certificates. - If the CA is not listed here, double-check the file format and ensure that it was imported correctly.
- Once installed, the certificate should be visible under