Self Signed SSL Certificate - cllu/.rc GitHub Wiki
Create SSL Certificate
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Create the Server key and CSR files
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
# We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert.
# Unlike signing our own server cert, this is what we want to do.
# Remember to increase the set_serial
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
Nginx setup
server {
listen 443;
ssl on;
server_name example.com;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client on;
location / {
root /var/www/example.com/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME /var/www/example.com/lib/Request.class.php;
fastcgi_param VERIFIED $ssl_client_verify;
fastcgi_param DN $ssl_client_s_dn;
include fastcgi_params;
}
}
Import to Browers
For Linux systems, to import the ROOT CA
certutil -d sql:/home/cllu/.pki/nssdb -A -t "C,," -i ca.crt -n "Chunliang LYU"
To import the client keys:
# convert to PKCS
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -chain -CAfile ca.crt
# combine the key and crt into a single PEM file
openssl pkcs12 -in client.p12 -out client.pem -clcerts
# import in linux
pk12util -d sql:$HOME/.pki/nssdb -i client.p12